Vulnerabilities > CVE-2009-3023 - Classic Buffer Overflow vulnerability in Microsoft Internet Information Server 5.0/5.1/6.0

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

CWE-120

nessus

exploit available

metasploit

NVD

Published: 2009-08-31

Updated: 2023-11-07

Summary

Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Information Server 5.0 Microsoft Internet Information Server 5.1 Microsoft Internet Information Server 6.0	5
OS	Microsoft Microsoft Windows 2000 - Microsoft Windows Server 2003 - Microsoft Windows XP - Microsoft Windows Server 2008 - Microsoft Windows Vista -	18

Common Weakness Enumeration (CWE)

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

description	Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k). CVE-2009-3023. Remote exploit for windows platform
file	exploits/windows/remote/9541.pl
id	EDB-ID:9541
last seen	2016-02-01
modified	2009-08-31
platform	windows
port	21
published	2009-08-31
reporter	kingcope
source	https://www.exploit-db.com/download/9541/
title	Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit win2k
type	remote

description	Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4). CVE-2009-3023. Remote exploit for windows platform
file	exploits/windows/remote/9559.pl
id	EDB-ID:9559
last seen	2016-02-01
modified	2009-09-01
platform	windows
port	21
published	2009-09-01
reporter	muts
source	https://www.exploit-db.com/download/9559/
title	Microsoft IIS 5.0 - FTP Server Remote Stack Overflow Exploit win2k sp4
type	remote

description	Microsoft IIS FTP Server NLST Response Overflow. CVE-2009-3023. Remote exploit for windows platform
id	EDB-ID:16740
last seen	2016-02-02
modified	2010-11-12
published	2010-11-12
reporter	metasploit
source	https://www.exploit-db.com/download/16740/
title	Microsoft IIS FTP Server NLST Response Overflow

Metasploit

description	This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account)
id	MSF:EXPLOIT/WINDOWS/FTP/MS09_053_FTPD_NLST
last seen	2020-06-10
modified	2017-07-24
published	2010-10-05
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3023
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb
title	MS09-053 Microsoft IIS FTP Server NLST Response Overflow

Msbulletin

bulletin_id	MS09-053
bulletin_url
date	2009-10-13T00:00:00
impact	Remote Code Execution
knowledgebase_id	975254
knowledgebase_url
severity	Important
title	Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-053.NASL
description	The remote host has a version of IIS whose FTP service is affected by one or both of the following vulnerabilities : - By sending specially crafted list commands to the remote Microsoft FTP service, an attacker is able to cause the service to become unresponsive. (CVE-2009-2521) - A flaw in the way the installed Microsoft FTP service in IIS handles list commands can be exploited to execute remote commands in the context of the LocalSystem account with IIS 5.0 under Windows 2000 or to cause the FTP server to stop and become unresponsive with IIS 5.1 under Windows XP or IIS 6.0 under Windows 2003. (CVE-2009-3023)
last seen	2020-06-01
modified	2020-06-02
plugin id	42109
published	2009-10-13
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/42109
title	MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42109); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-2521", "CVE-2009-3023"); script_bugtraq_id(36273, 36189); script_xref(name:"EDB-ID", value:"17476"); script_xref(name:"IAVB", value:"2009-B-0052"); script_xref(name:"MSFT", value:"MS09-053"); script_xref(name:"MSKB", value:"975254"); script_xref(name:"CERT", value:"276653"); script_xref(name:"EDB-ID", value:"9541"); script_xref(name:"EDB-ID", value:"9559"); script_xref(name:"EDB-ID", value:"9587"); script_xref(name:"EDB-ID", value:"16740"); script_xref(name:"EDB-ID", value:"17476"); script_name(english:"MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)"); script_summary(english:"Checks version of ftpsvc2.dll"); script_set_attribute(attribute:"synopsis", value:"The remote FTP server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host has a version of IIS whose FTP service is affected by one or both of the following vulnerabilities : - By sending specially crafted list commands to the remote Microsoft FTP service, an attacker is able to cause the service to become unresponsive. (CVE-2009-2521) - A flaw in the way the installed Microsoft FTP service in IIS handles list commands can be exploited to execute remote commands in the context of the LocalSystem account with IIS 5.0 under Windows 2000 or to cause the FTP server to stop and become unresponsive with IIS 5.1 under Windows XP or IIS 6.0 under Windows 2003. (CVE-2009-3023)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and 7.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-053'; kb = '975254'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Vista / Windows Server 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"ftpsvc2.dll", version:"7.0.6002.22219", min_version:"7.0.6002.22000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"ftpsvc2.dll", version:"7.0.6002.18107", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"ftpsvc2.dll", version:"7.0.6001.22516", min_version:"7.0.6001.22000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"ftpsvc2.dll", version:"7.0.6001.18327", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"ftpsvc2.dll", version:"7.0.6000.21123", min_version:"7.0.6000.20000", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"ftpsvc2.dll", version:"7.0.6000.16923", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| # Windows 2003 hotfix_is_vulnerable(os:"5.2", sp:2, file:"ftpsvc2.dll", version:"6.0.3790.4584", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| # Windows XP hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"ftpsvc2.dll", version:"6.0.2600.5875", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x64", file:"ftpsvc2.dll", version:"6.0.3790.4584", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"ftpsvc2.dll", version:"6.0.2600.3624", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) \|\| # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"ftpsvc2.dll", version:"5.0.2195.7336", dir:"\System32\inetsrv", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

NASL family	FTP
NASL id	IIS5_FTP_OVERFLOW.NASL
description	The remote FTP server allows anonymous users to create directories in one or more locations. The remote version of this server is vulnerable to a buffer overflow attack in the NLST command which, when coupled with the ability to create arbitrary directories, may allow an attacker to execute arbitrary commands on the remote Windows host with SYSTEM privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	40825
published	2009-10-13
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/40825
title	MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40825); script_version("1.28"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2009-3023"); script_bugtraq_id(36189); script_xref(name:"CERT", value:"276653"); script_xref(name:"IAVB", value:"2009-B-0052"); script_xref(name:"MSFT", value:"MS09-053"); script_xref(name:"MSKB", value:"975191"); script_xref(name:"MSKB", value:"975254"); script_name(english:"MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)"); script_summary(english:"Checks the version of IIS FTP"); script_set_attribute(attribute:"synopsis", value: "The remote anonymous FTP server seems vulnerable to an arbitrary code execution attack."); script_set_attribute(attribute:"description", value: "The remote FTP server allows anonymous users to create directories in one or more locations. The remote version of this server is vulnerable to a buffer overflow attack in the NLST command which, when coupled with the ability to create arbitrary directories, may allow an attacker to execute arbitrary commands on the remote Windows host with SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and 7.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119); script_set_attribute(attribute:"see_also", value:"http://securityvulns.com/files/iiz5.pl"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/975191"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_DENIAL); script_family(english:"FTP"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencie("ftp_anonymous.nasl", "ftp_writeable_directories.nasl"); script_require_ports("Services/ftp", 21); script_require_keys("ftp/tested_writeable_dir"); exit(0); } # # The script code starts here # include("global_settings.inc"); include('ftp_func.inc'); exit(0); port = get_ftp_port(default: 21); dir = get_kb_item("ftp/"+port+"/tested_writeable_dir"); if (! dir) exit(0, "No writeable dir found on port"+port+"."); banner = get_ftp_banner(port:port); if ( isnull(banner) ) exit(1, "Could not retrieve the FTP server's banner"); if ( egrep(pattern:"^22.* Microsoft FTP Service \(Version 5\.[01]\)", string:banner) ) security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server'); else if ( !egrep(pattern:"^22.* Microsoft FTP Service \(Version ", string:banner )) { soc = open_sock_tcp(port); if ( ! soc ) exit(1, "Could not connect to the remote FTP server on port "+port+"."); banner = ftp_recv_line(socket:soc); if ( ! ftp_authenticate(user:"anonymous", pass:"joe@", socket:soc) ) exit(1, "Could not log into the remote FTP server on port "+port+"."); send(socket:soc, data:'STAT\r\n'); r = ftp_recv_line(socket:soc); if ( "Microsoft Windows NT FTP Server status" >< r && ("Version 5.0" >< r \|\| "Version 5.1" >< r ) ) security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server.'); }

Oval

accepted

2011-10-31T04:04:12.823-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Gideon Technologies, Inc.
name Josh Turpin
organization Symantec Corporation

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft IIS 5.0 is installed
oval oval:org.mitre.oval:def:731
comment Microsoft Windows XP (x86) SP2 is installed
oval oval:org.mitre.oval:def:754
comment Microsoft IIS 5.1 is installed
oval oval:org.mitre.oval:def:460
comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft IIS 5.1 is installed
oval oval:org.mitre.oval:def:460
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) Gold is installed
oval oval:org.mitre.oval:def:396
comment Microsoft IIS 6.0 is installed
oval oval:org.mitre.oval:def:227

description

family

windows

oval:org.mitre.oval:def:6080

status

accepted

submitted

2009-10-13T13:00:00

title

IIS FTP Service RCE and DoS Vulnerability

version

Packetstorm

data source	https://packetstormsecurity.com/files/download/94532/ms09_053_ftpd_nlst.rb.txt
id	PACKETSTORM:94532
last seen	2016-12-05
published	2010-10-06
reporter	H D Moore
source	https://packetstormsecurity.com/files/94532/Microsoft-IIS-FTP-Server-NLST-Response-Overflow.html
title	Microsoft IIS FTP Server NLST Response Overflow

Saint

bid	36189
description	Microsoft IIS FTP Server NLST Command Remote Overflow
osvdb	57589
title	iis_ftp_server_nlst
type	remote

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 36189 CVE(CAN) ID: CVE-2009-3023 Microsoft Internet信息服务（IIS）是Microsoft Windows自带的一个网络信息服务器，其中包含HTTP服务功能。 Microsoft IIS内嵌的FTP服务器中存在栈溢出漏洞。如果远程攻击者对带有特制名称的目录发布了包含有通配符的FTP NLST（NAME LIST）命令的话，就可以触发这个溢出，导致执行任意代码。仅在攻击者拥有写访问权限的情况下才可以创建带有特殊名称的目录。 Microsoft IIS 6.0 Microsoft IIS 5.0 厂商补丁： Microsoft --------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://www.microsoft.com/technet/security/
id	SSV:12175
last seen	2017-11-19
modified	2009-09-02
published	2009-09-02
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-12175
title	Microsoft IIS FTPd服务NLST命令远程栈溢出漏洞

bulletinFamily	exploit
description	BUGTRAQ ID: 36189 CVE ID: CVE-2009-3023 Microsoft Internet信息服务（IIS）是Microsoft Windows自带的一个网络信息服务器，其中包含HTTP服务功能。 Microsoft IIS内嵌的FTP服务器中存在栈溢出漏洞。如果远程攻击者对带有特制名称的目录发布了包含有通配符的FTP NLST（NAME LIST）命令的话，就可以触发这个溢出，导致拒绝服务或执行任意代码。仅在攻击者拥有写访问权限的情况下才可以创建带有特殊名称的目录。 Microsoft IIS 6.0 Microsoft IIS 5.1 Microsoft IIS 5.0 临时解决方法：如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁： * 修改NTFS文件系统权限，禁止FTP用户创建目录。 * 禁止不可信任的匿名用户写访问FTP。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS09-053）以及相应补丁: MS09-053：Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) 链接：http://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx?pf=true
id	SSV:12476
last seen	2017-11-19
modified	2009-10-16
published	2009-10-16
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-12476
title	Microsoft IIS FTPd服务NLST命令远程栈溢出漏洞（MS09-053）

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Metasploit

Msbulletin

Nessus

Oval

Packetstorm

Saint

Seebug

References