Microsoft IIS FTP service searches all trusted domains for user accounts

Overview

The Microsoft IIS FTP Service contains a vulnerability that allows remote attackers to log in using domain accounts without providing a specific domain name.

Description

The Microsoft IIS FTP Service allows users to establish connections using either local accounts or Windows domain accounts. Connections made using a domain account require a username of the form “domain\ser” to distinguish them from local accounts. The FTP Service contains an access control vulnerability that causes the server to search all trusted domains for a matching domain account when the “domain” portion of the username contains a certain wildcard value. Once a matching domain account is found, the user must provide a correct password to gain access.

This vulnerability requires the attacker to provide a correct password, so the most likely accounts to be targeted are those that contain a well-known username and default password. For example, if any of the domains trusted by the server contain an enabled Guest account with a default (null) password, the FTP Service will use that account to log the user in as “Domain\Guest”.

---

Impact

This vulnerability allows remote users to log in using a domain account without fully specifying the domain. This may result in either unauthorized file transfer access or information leakage.

---

Solution

Apply a patch from your vendor

Microsoft has released a patch for this vulnerability; for further information, please consult the systems affected section below.

---

Disable IIS FTP Service

Sites that do not require the IIS FTP Service may disable it to prevent exploitation of this vulnerability.

---

Vendor Information

137544

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft __ Affected

Updated: September 18, 2001

Status

Affected

Vendor Statement

Microsoft has addressed this vulnerability in the following Microsoft Security Bulletin

http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has archived Microsoft’s announcement of MS01-026 at

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.kb.cert.org/vuls/id/573155&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS01-026.asp&gt;
• <http://www.securityfocus.com/bid/2719&gt;

Acknowledgements

This document was written by Jeffrey P. Lanza and is based on information from Microsoft.

Other Information

CVE IDs:	CVE-2001-0335
Severity Metric:	10.13 Date Public: