{"vuid":"VU#276653","idnumber":"276653","name":"Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow","keywords":["Microsoft","IIS","inetinfo.exe","NLST","directory tokenization"],"overview":"The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.","clean_desc":"IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.","impact":"A remote attacker may be able to execute arbitrary code on a vulnerable server. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated.","resolution":"We are currently unaware of a practical solution to this problem. Please consider the workarounds listed in Microsoft Security Advisory (975191), which include:","workarounds":"Disable anonymous FTP write access Configuring IIS to disallow write access to anonymous FTP users will limit the ability of the attacker to create a directory that can trigger this vulnerability.","sysaffected":"","thanks":"This vulnerability was publicly disclosed by Kingcope.","author":"This document was written by Will Dormann.","public":["http://www.microsoft.com/technet/security/advisory/975191.mspx","http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html","http://milw0rm.com/exploits/9541"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2009-08-31T15:44:18Z","publicdate":"2009-08-31T00:00:00Z","datefirstpublished":"2009-08-31T20:37:54Z","dateupdated":"2009-09-02T12:47:12Z","revision":24,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"10","cam_impact":"10","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"20.8125","cam_scorecurrentwidelyknown":"20.8125","cam_scorecurrentwidelyknownexploited":"32.0625","ipprotocol":"","cvss_accessvector":"--","cvss_accesscomplexity":"--","cvss_authentication":null,"cvss_confidentialityimpact":"--","cvss_integrityimpact":"--","cvss_availabilityimpact":"--","cvss_exploitablity":null,"cvss_remediationlevel":"Not Defined (ND)","cvss_reportconfidence":"Not Defined (ND)","cvss_collateraldamagepotential":"Not Defined (ND)","cvss_targetdistribution":"Not Defined (ND)","cvss_securityrequirementscr":"Not Defined (ND)","cvss_securityrequirementsir":"Not Defined (ND)","cvss_securityrequirementsar":"Not Defined (ND)","cvss_basescore":"0","cvss_basevector":"AV:--/AC:--/Au:--/C:--/I:--/A:--","cvss_temporalscore":"0","cvss_environmentalscore":"0","cvss_environmentalvector":"CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)","metric":20.8125,"vulnote":null}