Microsoft officials are reporting limited attacks targeting a zero-day vulnerability in the FTP service in Internet Information Services.
The IIS vulnerability warning follows the release of new exploit code that can be used to create a DoS (denial of service) condition on Windows XP and Windows Server 2003 without requiring Write access. Also, a new proof of concept allowing a DoS was disclosed Sept. 2 that affects FTP 6, which shipped with Windows Vista and Windows Server 2008.
Microsoft first issued an advisory on the bug Sept. 1, a day after exploit code for the vulnerability was posted on Milw0rm. In addition to a DoS, if the bug is successfully exploited it can allow remotely authenticated users to execute arbitrary code via a crafted NLST command that uses wildcards.
“An attacker with access to FTP Service could use this vulnerability to cause a stack-based overrun that could allow execution of arbitrary code in the context of the LocalSystem account on systems running IIS 5.0, or denial of service on affected systems running IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0,” Microsoft warned. “In configurations of FTP Service where anonymous authentication is allowed, the attacker need not be authenticated for exploitation to occur.”
Microsoft stated Aug. 31 that a patch for the vulnerability is on the way. In the meantime, information on mitigations and workarounds has been made available. Microsoft advised administrators to modify NTFS (NT File System) permissions to disallow directory creation by FTP users and to disallow FTP write access to untrusted anonymous users. Users can also upgrade to FTP Service 7.5.
A fix for the vulnerability is not expected to be included in the Sept. 8 Patch Tuesday release.