Lucene search

K
nessusThis script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.IIS5_FTP_OVERFLOW.NASL
HistoryOct 13, 2009 - 12:00 a.m.

MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)

2009-10-1300:00:00
This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
86

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.969 High

EPSS

Percentile

99.7%

The remote FTP server allows anonymous users to create directories in one or more locations.

The remote version of this server is vulnerable to a buffer overflow attack in the NLST command which, when coupled with the ability to create arbitrary directories, may allow an attacker to execute arbitrary commands on the remote Windows host with SYSTEM privileges.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(40825);
 script_version("1.29");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");

  script_cve_id("CVE-2009-3023");
 script_bugtraq_id(36189);
 script_xref(name:"CERT", value:"276653");
 script_xref(name:"IAVB", value:"2009-B-0052-S");
 script_xref(name:"MSFT", value:"MS09-053");
 script_xref(name:"MSKB", value:"975191");
 script_xref(name:"MSKB", value:"975254");

 script_name(english:"MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)");
 script_summary(english:"Checks the version of IIS FTP");

 script_set_attribute(attribute:"synopsis", value:
"The remote anonymous FTP server seems vulnerable to an arbitrary code
execution attack.");
 script_set_attribute(attribute:"description", value:
"The remote FTP server allows anonymous users to create directories in
one or more locations.

The remote version of this server is vulnerable to a buffer overflow
attack in the NLST command which, when coupled with the ability to
create arbitrary directories, may allow an attacker to execute
arbitrary commands on the remote Windows host with SYSTEM privileges.");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?ce9a6597");
  script_set_attribute(attribute:"see_also", value:"http://securityvulns.com/files/iiz5.pl");
  # https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/975191
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?0fea77dc");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and
7.0.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3023");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(119);

 script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01");
 script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
 script_set_attribute(attribute:"stig_severity", value:"I");
 script_end_attributes();

 script_category(ACT_DENIAL);
 script_family(english:"FTP");
  script_copyright(english:"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

 script_dependencies("ftp_anonymous.nasl", "ftp_writeable_directories.nasl");
 script_require_ports("Services/ftp", 21);
 script_require_keys("ftp/tested_writeable_dir");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include('ftp_func.inc');

exit(0);


port = get_ftp_port(default: 21);
dir = get_kb_item("ftp/"+port+"/tested_writeable_dir");
if (! dir) exit(0, "No writeable dir found on port"+port+".");

banner = get_ftp_banner(port:port);
if ( isnull(banner) ) exit(1, "Could not retrieve the FTP server's banner");
if ( egrep(pattern:"^22.* Microsoft FTP Service \(Version 5\.[01]\)", string:banner) )
	security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server');
else if ( !egrep(pattern:"^22.* Microsoft FTP Service \(Version ", string:banner )) {
    soc = open_sock_tcp(port);
    if ( ! soc ) exit(1, "Could not connect to the remote FTP server on port "+port+".");
    banner = ftp_recv_line(socket:soc);
    if ( ! ftp_authenticate(user:"anonymous", pass:"joe@", socket:soc) )
     exit(1, "Could not log into the remote FTP server on port "+port+".");
    send(socket:soc, data:'STAT\r\n');
    r = ftp_recv_line(socket:soc);
    if ( "Microsoft Windows NT FTP Server status" >< r &&
	 ("Version 5.0" >< r || "Version 5.1" >< r ) ) security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server.');
 }
VendorProductVersionCPE
microsoftiiscpe:/a:microsoft:iis

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.969 High

EPSS

Percentile

99.7%