Vulnerabilities > CVE-2009-3023 - Classic Buffer Overflow vulnerability in Microsoft Internet Information Server

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-120
critical
nessus
exploit available
metasploit

Summary

Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • descriptionMicrosoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k). CVE-2009-3023. Remote exploit for windows platform
    fileexploits/windows/remote/9541.pl
    idEDB-ID:9541
    last seen2016-02-01
    modified2009-08-31
    platformwindows
    port21
    published2009-08-31
    reporterkingcope
    sourcehttps://www.exploit-db.com/download/9541/
    titleMicrosoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit win2k
    typeremote
  • descriptionMicrosoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4). CVE-2009-3023. Remote exploit for windows platform
    fileexploits/windows/remote/9559.pl
    idEDB-ID:9559
    last seen2016-02-01
    modified2009-09-01
    platformwindows
    port21
    published2009-09-01
    reportermuts
    sourcehttps://www.exploit-db.com/download/9559/
    titleMicrosoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit win2k sp4
    typeremote
  • descriptionMicrosoft IIS FTP Server NLST Response Overflow. CVE-2009-3023. Remote exploit for windows platform
    idEDB-ID:16740
    last seen2016-02-02
    modified2010-11-12
    published2010-11-12
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16740/
    titleMicrosoft IIS FTP Server NLST Response Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account)
idMSF:EXPLOIT/WINDOWS/FTP/MS09_053_FTPD_NLST
last seen2020-06-10
modified2017-07-24
published2010-10-05
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3023
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb
titleMS09-053 Microsoft IIS FTP Server NLST Response Overflow

Msbulletin

bulletin_idMS09-053
bulletin_url
date2009-10-13T00:00:00
impactRemote Code Execution
knowledgebase_id975254
knowledgebase_url
severityImportant
titleVulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-053.NASL
    descriptionThe remote host has a version of IIS whose FTP service is affected by one or both of the following vulnerabilities : - By sending specially crafted list commands to the remote Microsoft FTP service, an attacker is able to cause the service to become unresponsive. (CVE-2009-2521) - A flaw in the way the installed Microsoft FTP service in IIS handles list commands can be exploited to execute remote commands in the context of the LocalSystem account with IIS 5.0 under Windows 2000 or to cause the FTP server to stop and become unresponsive with IIS 5.1 under Windows XP or IIS 6.0 under Windows 2003. (CVE-2009-3023)
    last seen2020-06-01
    modified2020-06-02
    plugin id42109
    published2009-10-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42109
    titleMS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(42109);
      script_version("1.25");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id("CVE-2009-2521", "CVE-2009-3023");
      script_bugtraq_id(36273, 36189);
      script_xref(name:"EDB-ID", value:"17476");
      script_xref(name:"IAVB", value:"2009-B-0052");
      script_xref(name:"MSFT", value:"MS09-053");
      script_xref(name:"MSKB", value:"975254");
      script_xref(name:"CERT", value:"276653");
      script_xref(name:"EDB-ID", value:"9541");
      script_xref(name:"EDB-ID", value:"9559");
      script_xref(name:"EDB-ID", value:"9587");
      script_xref(name:"EDB-ID", value:"16740");
      script_xref(name:"EDB-ID", value:"17476");
    
      script_name(english:"MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)");
      script_summary(english:"Checks version of ftpsvc2.dll");
    
      script_set_attribute(attribute:"synopsis", value:"The remote FTP server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote host has a version of IIS whose FTP service is affected by
    one or both of the following vulnerabilities :
    
      - By sending specially crafted list commands to the
        remote Microsoft FTP service, an attacker is able
        to cause the service to become unresponsive.
        (CVE-2009-2521)
    
      - A flaw in the way the installed Microsoft FTP service
        in IIS handles list commands can be exploited to
        execute remote commands in the context of the
        LocalSystem account with IIS 5.0 under Windows 2000 or
        to cause the FTP server to stop and become unresponsive
        with IIS 5.1 under Windows XP or IIS 6.0 under Windows
        2003. (CVE-2009-3023)");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and
    7.0.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(119);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS09-053';
    kb = '975254';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      # Vista / Windows Server 2008
      hotfix_is_vulnerable(os:"6.0", sp:2,             file:"ftpsvc2.dll", version:"7.0.6002.22219", min_version:"7.0.6002.22000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:2,             file:"ftpsvc2.dll", version:"7.0.6002.18107",                               dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1,             file:"ftpsvc2.dll", version:"7.0.6001.22516", min_version:"7.0.6001.22000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1,             file:"ftpsvc2.dll", version:"7.0.6001.18327",                               dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:0,             file:"ftpsvc2.dll", version:"7.0.6000.21123", min_version:"7.0.6000.20000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:0,             file:"ftpsvc2.dll", version:"7.0.6000.16923",                               dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
    
      # Windows 2003
      hotfix_is_vulnerable(os:"5.2", sp:2,             file:"ftpsvc2.dll", version:"6.0.3790.4584",                                dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
    
      # Windows XP
      hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"ftpsvc2.dll", version:"6.0.2600.5875",                                dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"ftpsvc2.dll", version:"6.0.3790.4584",                                dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"ftpsvc2.dll", version:"6.0.2600.3624",                                dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ||
    
      # Windows 2000
      hotfix_is_vulnerable(os:"5.0",                   file:"ftpsvc2.dll", version:"5.0.2195.7336",                                dir:"\System32\inetsrv", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyFTP
    NASL idIIS5_FTP_OVERFLOW.NASL
    descriptionThe remote FTP server allows anonymous users to create directories in one or more locations. The remote version of this server is vulnerable to a buffer overflow attack in the NLST command which, when coupled with the ability to create arbitrary directories, may allow an attacker to execute arbitrary commands on the remote Windows host with SYSTEM privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id40825
    published2009-10-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40825
    titleMS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(40825);
     script_version("1.28");
     script_cvs_date("Date: 2018/11/15 20:50:22");
    
     script_cve_id("CVE-2009-3023");
     script_bugtraq_id(36189);
     script_xref(name:"CERT", value:"276653");
     script_xref(name:"IAVB", value:"2009-B-0052");
     script_xref(name:"MSFT", value:"MS09-053");
     script_xref(name:"MSKB", value:"975191");
     script_xref(name:"MSKB", value:"975254");
    
     script_name(english:"MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)");
     script_summary(english:"Checks the version of IIS FTP");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote anonymous FTP server seems vulnerable to an arbitrary code
    execution attack.");
     script_set_attribute(attribute:"description", value:
    "The remote FTP server allows anonymous users to create directories in
    one or more locations.
    
    The remote version of this server is vulnerable to a buffer overflow
    attack in the NLST command which, when coupled with the ability to
    create arbitrary directories, may allow an attacker to execute
    arbitrary commands on the remote Windows host with SYSTEM privileges.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and
    7.0.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
     script_cwe_id(119);
     script_set_attribute(attribute:"see_also", value:"http://securityvulns.com/files/iiz5.pl");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/975191");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01");
     script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
     script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
     script_set_attribute(attribute:"stig_severity", value:"I");
     script_end_attributes();
    
     script_category(ACT_DENIAL);
     script_family(english:"FTP");
     script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
     script_dependencie("ftp_anonymous.nasl", "ftp_writeable_directories.nasl");
     script_require_ports("Services/ftp", 21);
     script_require_keys("ftp/tested_writeable_dir");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    include("global_settings.inc");
    include('ftp_func.inc');
    
    exit(0);
    
    
    port = get_ftp_port(default: 21);
    dir = get_kb_item("ftp/"+port+"/tested_writeable_dir");
    if (! dir) exit(0, "No writeable dir found on port"+port+".");
    
    banner = get_ftp_banner(port:port);
    if ( isnull(banner) ) exit(1, "Could not retrieve the FTP server's banner");
    if ( egrep(pattern:"^22.* Microsoft FTP Service \(Version 5\.[01]\)", string:banner) )
    	security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server');
    else if ( !egrep(pattern:"^22.* Microsoft FTP Service \(Version ", string:banner )) {
        soc = open_sock_tcp(port);
        if ( ! soc ) exit(1, "Could not connect to the remote FTP server on port "+port+".");
        banner = ftp_recv_line(socket:soc);
        if ( ! ftp_authenticate(user:"anonymous", pass:"joe@", socket:soc) )
         exit(1, "Could not log into the remote FTP server on port "+port+".");
        send(socket:soc, data:'STAT\r\n');
        r = ftp_recv_line(socket:soc);
        if ( "Microsoft Windows NT FTP Server status" >< r &&
    	 ("Version 5.0" >< r || "Version 5.1" >< r ) ) security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server.');
     }
    

Oval

accepted2011-10-31T04:04:12.823-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameJosh Turpin
    organizationSymantec Corporation
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft IIS 5.0 is installed
    ovaloval:org.mitre.oval:def:731
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft IIS 5.1 is installed
    ovaloval:org.mitre.oval:def:460
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft IIS 5.1 is installed
    ovaloval:org.mitre.oval:def:460
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft IIS 6.0 is installed
    ovaloval:org.mitre.oval:def:227
descriptionBuffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."
familywindows
idoval:org.mitre.oval:def:6080
statusaccepted
submitted2009-10-13T13:00:00
titleIIS FTP Service RCE and DoS Vulnerability
version38

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/94532/ms09_053_ftpd_nlst.rb.txt
idPACKETSTORM:94532
last seen2016-12-05
published2010-10-06
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/94532/Microsoft-IIS-FTP-Server-NLST-Response-Overflow.html
titleMicrosoft IIS FTP Server NLST Response Overflow

Saint

bid36189
descriptionMicrosoft IIS FTP Server NLST Command Remote Overflow
osvdb57589
titleiis_ftp_server_nlst
typeremote

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 36189 CVE(CAN) ID: CVE-2009-3023 Microsoft Internet信息服务(IIS)是Microsoft Windows自带的一个网络信息服务器,其中包含HTTP服务功能。 Microsoft IIS内嵌的FTP服务器中存在栈溢出漏洞。如果远程攻击者对带有特制名称的目录发布了包含有通配符的FTP NLST(NAME LIST)命令的话,就可以触发这个溢出,导致执行任意代码。仅在攻击者拥有写访问权限的情况下才可以创建带有特殊名称的目录。 Microsoft IIS 6.0 Microsoft IIS 5.0 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/
    idSSV:12175
    last seen2017-11-19
    modified2009-09-02
    published2009-09-02
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-12175
    titleMicrosoft IIS FTPd服务NLST命令远程栈溢出漏洞
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 36189 CVE ID: CVE-2009-3023 Microsoft Internet信息服务(IIS)是Microsoft Windows自带的一个网络信息服务器,其中包含HTTP服务功能。 Microsoft IIS内嵌的FTP服务器中存在栈溢出漏洞。如果远程攻击者对带有特制名称的目录发布了包含有通配符的FTP NLST(NAME LIST)命令的话,就可以触发这个溢出,导致拒绝服务或执行任意代码。仅在攻击者拥有写访问权限的情况下才可以创建带有特殊名称的目录。 Microsoft IIS 6.0 Microsoft IIS 5.1 Microsoft IIS 5.0 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 修改NTFS文件系统权限,禁止FTP用户创建目录。 * 禁止不可信任的匿名用户写访问FTP。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-053)以及相应补丁: MS09-053:Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) 链接:http://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx?pf=true
    idSSV:12476
    last seen2017-11-19
    modified2009-10-16
    published2009-10-16
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-12476
    titleMicrosoft IIS FTPd服务NLST命令远程栈溢出漏洞(MS09-053)