Vulnerabilities > CVE-2009-3023 - Classic Buffer Overflow vulnerability in Microsoft Internet Information Server 5.0/5.1/6.0
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 5 | |
OS | 18 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k). CVE-2009-3023. Remote exploit for windows platform file exploits/windows/remote/9541.pl id EDB-ID:9541 last seen 2016-02-01 modified 2009-08-31 platform windows port 21 published 2009-08-31 reporter kingcope source https://www.exploit-db.com/download/9541/ title Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit win2k type remote description Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4). CVE-2009-3023. Remote exploit for windows platform file exploits/windows/remote/9559.pl id EDB-ID:9559 last seen 2016-02-01 modified 2009-09-01 platform windows port 21 published 2009-09-01 reporter muts source https://www.exploit-db.com/download/9559/ title Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit win2k sp4 type remote description Microsoft IIS FTP Server NLST Response Overflow. CVE-2009-3023. Remote exploit for windows platform id EDB-ID:16740 last seen 2016-02-02 modified 2010-11-12 published 2010-11-12 reporter metasploit source https://www.exploit-db.com/download/16740/ title Microsoft IIS FTP Server NLST Response Overflow
Metasploit
description | This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account) |
id | MSF:EXPLOIT/WINDOWS/FTP/MS09_053_FTPD_NLST |
last seen | 2020-06-10 |
modified | 2017-07-24 |
published | 2010-10-05 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3023 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb |
title | MS09-053 Microsoft IIS FTP Server NLST Response Overflow |
Msbulletin
bulletin_id | MS09-053 |
bulletin_url | |
date | 2009-10-13T00:00:00 |
impact | Remote Code Execution |
knowledgebase_id | 975254 |
knowledgebase_url | |
severity | Important |
title | Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS09-053.NASL description The remote host has a version of IIS whose FTP service is affected by one or both of the following vulnerabilities : - By sending specially crafted list commands to the remote Microsoft FTP service, an attacker is able to cause the service to become unresponsive. (CVE-2009-2521) - A flaw in the way the installed Microsoft FTP service in IIS handles list commands can be exploited to execute remote commands in the context of the LocalSystem account with IIS 5.0 under Windows 2000 or to cause the FTP server to stop and become unresponsive with IIS 5.1 under Windows XP or IIS 6.0 under Windows 2003. (CVE-2009-3023) last seen 2020-06-01 modified 2020-06-02 plugin id 42109 published 2009-10-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42109 title MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42109); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-2521", "CVE-2009-3023"); script_bugtraq_id(36273, 36189); script_xref(name:"EDB-ID", value:"17476"); script_xref(name:"IAVB", value:"2009-B-0052"); script_xref(name:"MSFT", value:"MS09-053"); script_xref(name:"MSKB", value:"975254"); script_xref(name:"CERT", value:"276653"); script_xref(name:"EDB-ID", value:"9541"); script_xref(name:"EDB-ID", value:"9559"); script_xref(name:"EDB-ID", value:"9587"); script_xref(name:"EDB-ID", value:"16740"); script_xref(name:"EDB-ID", value:"17476"); script_name(english:"MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)"); script_summary(english:"Checks version of ftpsvc2.dll"); script_set_attribute(attribute:"synopsis", value:"The remote FTP server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host has a version of IIS whose FTP service is affected by one or both of the following vulnerabilities : - By sending specially crafted list commands to the remote Microsoft FTP service, an attacker is able to cause the service to become unresponsive. (CVE-2009-2521) - A flaw in the way the installed Microsoft FTP service in IIS handles list commands can be exploited to execute remote commands in the context of the LocalSystem account with IIS 5.0 under Windows 2000 or to cause the FTP server to stop and become unresponsive with IIS 5.1 under Windows XP or IIS 6.0 under Windows 2003. (CVE-2009-3023)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and 7.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-053'; kb = '975254'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"ftpsvc2.dll", version:"7.0.6002.22219", min_version:"7.0.6002.22000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"ftpsvc2.dll", version:"7.0.6002.18107", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:1, file:"ftpsvc2.dll", version:"7.0.6001.22516", min_version:"7.0.6001.22000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:1, file:"ftpsvc2.dll", version:"7.0.6001.18327", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:0, file:"ftpsvc2.dll", version:"7.0.6000.21123", min_version:"7.0.6000.20000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:0, file:"ftpsvc2.dll", version:"7.0.6000.16923", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"ftpsvc2.dll", version:"6.0.3790.4584", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || # Windows XP hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"ftpsvc2.dll", version:"6.0.2600.5875", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"ftpsvc2.dll", version:"6.0.3790.4584", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"ftpsvc2.dll", version:"6.0.2600.3624", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) || # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"ftpsvc2.dll", version:"5.0.2195.7336", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
NASL family FTP NASL id IIS5_FTP_OVERFLOW.NASL description The remote FTP server allows anonymous users to create directories in one or more locations. The remote version of this server is vulnerable to a buffer overflow attack in the NLST command which, when coupled with the ability to create arbitrary directories, may allow an attacker to execute arbitrary commands on the remote Windows host with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 40825 published 2009-10-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40825 title MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40825); script_version("1.28"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2009-3023"); script_bugtraq_id(36189); script_xref(name:"CERT", value:"276653"); script_xref(name:"IAVB", value:"2009-B-0052"); script_xref(name:"MSFT", value:"MS09-053"); script_xref(name:"MSKB", value:"975191"); script_xref(name:"MSKB", value:"975254"); script_name(english:"MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)"); script_summary(english:"Checks the version of IIS FTP"); script_set_attribute(attribute:"synopsis", value: "The remote anonymous FTP server seems vulnerable to an arbitrary code execution attack."); script_set_attribute(attribute:"description", value: "The remote FTP server allows anonymous users to create directories in one or more locations. The remote version of this server is vulnerable to a buffer overflow attack in the NLST command which, when coupled with the ability to create arbitrary directories, may allow an attacker to execute arbitrary commands on the remote Windows host with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and 7.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119); script_set_attribute(attribute:"see_also", value:"http://securityvulns.com/files/iiz5.pl"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/975191"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_DENIAL); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencie("ftp_anonymous.nasl", "ftp_writeable_directories.nasl"); script_require_ports("Services/ftp", 21); script_require_keys("ftp/tested_writeable_dir"); exit(0); } # # The script code starts here # include("global_settings.inc"); include('ftp_func.inc'); exit(0); port = get_ftp_port(default: 21); dir = get_kb_item("ftp/"+port+"/tested_writeable_dir"); if (! dir) exit(0, "No writeable dir found on port"+port+"."); banner = get_ftp_banner(port:port); if ( isnull(banner) ) exit(1, "Could not retrieve the FTP server's banner"); if ( egrep(pattern:"^22.* Microsoft FTP Service \(Version 5\.[01]\)", string:banner) ) security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server'); else if ( !egrep(pattern:"^22.* Microsoft FTP Service \(Version ", string:banner )) { soc = open_sock_tcp(port); if ( ! soc ) exit(1, "Could not connect to the remote FTP server on port "+port+"."); banner = ftp_recv_line(socket:soc); if ( ! ftp_authenticate(user:"anonymous", pass:"joe@", socket:soc) ) exit(1, "Could not log into the remote FTP server on port "+port+"."); send(socket:soc, data:'STAT\r\n'); r = ftp_recv_line(socket:soc); if ( "Microsoft Windows NT FTP Server status" >< r && ("Version 5.0" >< r || "Version 5.1" >< r ) ) security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server.'); }
Oval
accepted | 2011-10-31T04:04:12.823-04:00 | ||||||||||||||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||
description | Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability." | ||||||||||||||||||||||||||||||||||||||||||||
family | windows | ||||||||||||||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:6080 | ||||||||||||||||||||||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||||||||||||||||||||||
submitted | 2009-10-13T13:00:00 | ||||||||||||||||||||||||||||||||||||||||||||
title | IIS FTP Service RCE and DoS Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||
version | 38 |
Packetstorm
data source | https://packetstormsecurity.com/files/download/94532/ms09_053_ftpd_nlst.rb.txt |
id | PACKETSTORM:94532 |
last seen | 2016-12-05 |
published | 2010-10-06 |
reporter | H D Moore |
source | https://packetstormsecurity.com/files/94532/Microsoft-IIS-FTP-Server-NLST-Response-Overflow.html |
title | Microsoft IIS FTP Server NLST Response Overflow |
Saint
bid | 36189 |
description | Microsoft IIS FTP Server NLST Command Remote Overflow |
osvdb | 57589 |
title | iis_ftp_server_nlst |
type | remote |
Seebug
bulletinFamily exploit description BUGTRAQ ID: 36189 CVE(CAN) ID: CVE-2009-3023 Microsoft Internet信息服务(IIS)是Microsoft Windows自带的一个网络信息服务器,其中包含HTTP服务功能。 Microsoft IIS内嵌的FTP服务器中存在栈溢出漏洞。如果远程攻击者对带有特制名称的目录发布了包含有通配符的FTP NLST(NAME LIST)命令的话,就可以触发这个溢出,导致执行任意代码。仅在攻击者拥有写访问权限的情况下才可以创建带有特殊名称的目录。 Microsoft IIS 6.0 Microsoft IIS 5.0 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/ id SSV:12175 last seen 2017-11-19 modified 2009-09-02 published 2009-09-02 reporter Root source https://www.seebug.org/vuldb/ssvid-12175 title Microsoft IIS FTPd服务NLST命令远程栈溢出漏洞 bulletinFamily exploit description BUGTRAQ ID: 36189 CVE ID: CVE-2009-3023 Microsoft Internet信息服务(IIS)是Microsoft Windows自带的一个网络信息服务器,其中包含HTTP服务功能。 Microsoft IIS内嵌的FTP服务器中存在栈溢出漏洞。如果远程攻击者对带有特制名称的目录发布了包含有通配符的FTP NLST(NAME LIST)命令的话,就可以触发这个溢出,导致拒绝服务或执行任意代码。仅在攻击者拥有写访问权限的情况下才可以创建带有特殊名称的目录。 Microsoft IIS 6.0 Microsoft IIS 5.1 Microsoft IIS 5.0 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 修改NTFS文件系统权限,禁止FTP用户创建目录。 * 禁止不可信任的匿名用户写访问FTP。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-053)以及相应补丁: MS09-053:Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) 链接:http://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx?pf=true id SSV:12476 last seen 2017-11-19 modified 2009-10-16 published 2009-10-16 reporter Root source https://www.seebug.org/vuldb/ssvid-12476 title Microsoft IIS FTPd服务NLST命令远程栈溢出漏洞(MS09-053)
References
- http://www.securityfocus.com/bid/36189
- http://www.vupen.com/english/advisories/2009/2481
- http://www.us-cert.gov/cas/techalerts/TA09-286A.html
- http://www.kb.cert.org/vuls/id/276653
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6080
- http://www.exploit-db.com/exploits/9559
- http://www.exploit-db.com/exploits/9541
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053
- http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ975191