Microsoft released a new security advisor that warns users about a critical flaw in Microsoft Internet Information Service’s FTP component. The said flaw will render it vulnerable to malicious commands on the hosting servers.
According to the advisory released in a Microsoft Security Research and Defense post, when an IIS 5.0, 5.1 or 6.0 FTP service tries to list a long directory name, it could lead to stack overflow which will then cause remote code execution to occur. However, the post also said that IIS 7.0 or Vista, Server 2008 is not prone to this threat.
Once the attacker successfully exploits the vulnerability, he could execute the said code in the context of LocalSystem. In order to get the hit, the FTP server needs to grant untrusted users with access to log into and craft that long directory.
Microsoft says that a patch has yet to be developed but the company acknowledged that a detailed exploit code can be taken through an online source. The code, however, has not yet made active attacks on the servers. Microsoft did provide a list of things that clients can do to work around the issue for the time being. These include preventing unknown FTP users from creating directories.
Other temporary solutions include turning off the FTP service when it is not needed, preventing unknown users from writing codes through the IIS settings and limiting the creation of new directories with the use of NTFS ACLs.
Settings for the IIS Manager to hinder the Write Access function are located on the IIS 5 dialog.
