{"vuid":"VU#137544","idnumber":"137544","name":"Microsoft IIS FTP service searches all trusted domains for user accounts","keywords":["Microsoft","IIS","Internet Information Server","Internet Information Services","MS01-026","FTP","domain","MS01-031"],"overview":"The Microsoft IIS FTP Service contains a vulnerability that allows remote attackers to log in using domain accounts without providing a specific domain name.","clean_desc":"The Microsoft IIS FTP Service allows users to establish connections using either local accounts or Windows domain accounts. Connections made using a domain account require a username of the form \"domain\\user\" to distinguish them from local accounts. The FTP Service contains an access control vulnerability that causes the server to search all trusted domains for a matching domain account when the \"domain\" portion of the username contains a certain wildcard value. Once a matching domain account is found, the user must provide a correct password to gain access. This vulnerability requires the attacker to provide a correct password, so the most likely accounts to be targeted are those that contain a well-known username and default password. For example, if any of the domains trusted by the server contain an enabled Guest account with a default (null) password, the FTP Service will use that account to log the user in as \"Domain\\Guest\".","impact":"This vulnerability allows remote users to log in using a domain account without fully specifying the domain. This may result in either unauthorized file transfer access or information leakage.","resolution":"Apply a patch from your vendor Microsoft has released a patch for this vulnerability; for further information, please consult the systems affected section below.","workarounds":"Disable IIS FTP Service Sites that do not require the IIS FTP Service may disable it to prevent exploitation of this vulnerability.","sysaffected":"","thanks":"","author":"This document was written by Jeffrey P. Lanza and is based on information from Microsoft.","public":["http://www.kb.cert.org/vuls/id/573155","http://www.microsoft.com/technet/security/bulletin/MS01-026.asp","http://www.securityfocus.com/bid/2719"],"cveids":["CVE-2001-0335"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-05-15T17:45:04Z","publicdate":"2001-05-14T00:00:00Z","datefirstpublished":"2001-09-18T23:15:23Z","dateupdated":"2001-09-18T23:26:58Z","revision":12,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"10","cam_internetinfrastructure":"5","cam_population":"15","cam_impact":"4","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"10.125","cam_scorecurrentwidelyknown":"11.8125","cam_scorecurrentwidelyknownexploited":"15.1875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":10.125,"vulnote":null}