Lucene search
MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)
🗓️ 13 Oct 2009 00:00:00Reported by This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.Type 
nessus🔗 www.tenable.com👁 105 Views
Microsoft IIS FTPd NLST Command Remote Buffer Overflo
Show more
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | Immunity Canvas: IISFTP_NLST | 31 Aug 200920:30 | – | canvas |
 | CVE-2009-3023 | 31 Aug 200920:30 | – | cve |
 | CVE-2009-3023 | 31 Aug 200920:00 | – | cvelist |
 | MS09-053 Microsoft IIS FTP Server NLST Response Overflow | 5 Oct 201023:39 | – | metasploit |
 | Microsoft IIS FTP Server - NLST Response Overflow (MS09-053) (Metasploit) | 12 Nov 201000:00 | – | exploitdb |
 | Microsoft IIS FTP Server NLST Command Remote Overflow | 3 Sep 200900:00 | – | saint |
| Microsoft IIS FTP Server NLST Command Remote Overflow | 3 Sep 200900:00 | – | saint |
| Microsoft IIS FTP Server NLST Command Remote Overflow | 3 Sep 200900:00 | – | saint |
| Microsoft IIS FTP Server NLST Command Remote Overflow | 3 Sep 200900:00 | – | saint |
 | Microsoft IIS FTPd服务NLST命令远程栈溢出漏洞 | 2 Sep 200900:00 | – | seebug |
10
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
| nessus | www.nessus.org/u |
| securityvulns | www.securityvulns.com/files/iiz5.pl |
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(40825);
script_version("1.29");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");
script_cve_id("CVE-2009-3023");
script_bugtraq_id(36189);
script_xref(name:"CERT", value:"276653");
script_xref(name:"IAVB", value:"2009-B-0052-S");
script_xref(name:"MSFT", value:"MS09-053");
script_xref(name:"MSKB", value:"975191");
script_xref(name:"MSKB", value:"975254");
script_name(english:"MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)");
script_summary(english:"Checks the version of IIS FTP");
script_set_attribute(attribute:"synopsis", value:
"The remote anonymous FTP server seems vulnerable to an arbitrary code
execution attack.");
script_set_attribute(attribute:"description", value:
"The remote FTP server allows anonymous users to create directories in
one or more locations.
The remote version of this server is vulnerable to a buffer overflow
attack in the NLST command which, when coupled with the ability to
create arbitrary directories, may allow an attacker to execute
arbitrary commands on the remote Windows host with SYSTEM privileges.");
# https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053
script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?ce9a6597");
script_set_attribute(attribute:"see_also", value:"http://securityvulns.com/files/iiz5.pl");
# https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/975191
script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?0fea77dc");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and
7.0.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3023");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_cwe_id(119);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01");
script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_DENIAL);
script_family(english:"FTP");
script_copyright(english:"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ftp_anonymous.nasl", "ftp_writeable_directories.nasl");
script_require_ports("Services/ftp", 21);
script_require_keys("ftp/tested_writeable_dir");
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include('ftp_func.inc');
exit(0);
port = get_ftp_port(default: 21);
dir = get_kb_item("ftp/"+port+"/tested_writeable_dir");
if (! dir) exit(0, "No writeable dir found on port"+port+".");
banner = get_ftp_banner(port:port);
if ( isnull(banner) ) exit(1, "Could not retrieve the FTP server's banner");
if ( egrep(pattern:"^22.* Microsoft FTP Service \(Version 5\.[01]\)", string:banner) )
security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server');
else if ( !egrep(pattern:"^22.* Microsoft FTP Service \(Version ", string:banner )) {
soc = open_sock_tcp(port);
if ( ! soc ) exit(1, "Could not connect to the remote FTP server on port "+port+".");
banner = ftp_recv_line(socket:soc);
if ( ! ftp_authenticate(user:"anonymous", pass:"joe@", socket:soc) )
exit(1, "Could not log into the remote FTP server on port "+port+".");
send(socket:soc, data:'STAT\r\n');
r = ftp_recv_line(socket:soc);
if ( "Microsoft Windows NT FTP Server status" >< r &&
("Version 5.0" >< r || "Version 5.1" >< r ) ) security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server.');
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo13 Oct 2009 00:00Current
1Low risk
Vulners AI Score1
CVSS29
EPSS0.76858