Details of VAR-200908-0339

ID

VAR-200908-0339

CVE

CVE-2009-3023

TITLE

Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow

Trust: 0.8

sources: CERT/CC: VU#276653

DESCRIPTION

Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability.". An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects the following: IIS 5.0 IIS 5.1 IIS 6.0 (denial of service only) IIS 7.0 (denial of service only) Note that Microsoft IIS 7.0 with FTP Service 7.5 is not affected. Other versions may also be affected. NOTE: This issue cannot be exploited to execute arbitrary code on IIS 6.0 or 7.0. NOTE (September 1, 2009): This issue can be exploited to execute arbitrary code with SYSTEM-level privileges on IIS 5.0. UPDATE (September 8, 2009); This issue may be related to a vulnerability reported in 1999 affecting IIS 3 and IIS 4. We will update this BID as more details emerge. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. The vulnerability is caused due to a boundary error in the FTP server when processing NLST commands. This can be exploited to cause a stack-based buffer overflow by issuing a specially crafted NLST command. The vulnerability is confirmed as a DoS in IIS 5.1 for Windows XP SP3 and in IIS 6.0 for Windows Server 2003, and reported as code execution in IIS 5.0 for Windows 2000 SP4. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Kingcope ORIGINAL ADVISORY: http://milw0rm.com/exploits/9541 OTHER REFERENCES: VU#276653: http://www.kb.cert.org/vuls/id/276653 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-286A Microsoft Updates for Multiple Vulnerabilities Original release date: Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows and Windows Server * Microsoft Internet Explorer * Microsoft Office * Microsoft .NET Framework * Microsoft Silverlight * Microsoft SQL Server * Microsoft Developer Tools * Microsoft Forefront Overview Microsoft has released updates to address vulnerabilities in Microsoft Windows and Windows Server, Internet Explorer, Office, .NET Framework, Silverlight, SQL Server, Developer Tools, and Forefront. I. Description Microsoft has released multiple security bulletins for critical vulnerabilities in Microsoft Windows and Windows Server, Internet Explorer, Office, .NET Framework, Silverlight, SQL Server, Developer Tools, and Forefront. These bulletins are described in the Microsoft Security Bulletin Summary for October 2009. II. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for October 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for October 2009 - <http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-286A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-286A Feedback VU#788021" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History October 13, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBStTKrtucaIvSvh1ZAQL82wf+PgEKeQvhJ5HQGJ3S0/VzCP7/PzauiWrW Zm/l1mlzOpp6F81G35xHfnOXJ9pY5/rv5Ez80ME8mQrYi8K0IHiA24mHBXu9vFSk crtGkpGGqvrPRxJbuC+otsy8wtYzAu6fa6np3FF+fGFCvhAuf5kzfEMHR79BNC4A 04Lz7zJvO+7w+y4mt4lbfc7FJnoPm5kIFu3hQV2KmsnATipYUB8gVVqb6mpkCsbR aIbgKdyXFWeLiQVPN3bwUt4yE0FnpWT89eZCANdFtOSHVl2ff3cumR9YB1mHDUbQ 8qomBgx1goC2DlRRcX0EpyJp1+4fLl1pnuHD1Qtt1LTYyZ+sTq566g== =sbjN -----END PGP SIGNATURE-----

Trust: 2.79

sources: NVD: CVE-2009-3023 // CERT/CC: VU#276653 // JVNDB: JVNDB-2009-002072 // BID: 36189 // PACKETSTORM: 80892 // PACKETSTORM: 81977

AFFECTED PRODUCTS

vendor:	microsoft	model:	iis	scope:	eq	version:	6.0	Trust: 1.7
vendor:	microsoft	model:	iis	scope:	eq	version:	5.0	Trust: 1.7
vendor:	microsoft	model:	iis	scope:	eq	version:	5.1	Trust: 1.1
vendor:	microsoft	model:	internet information server	scope:	lte	version:	6.0	Trust: 1.0
vendor:	microsoft	model:	internet information server	scope:	gte	version:	5.0	Trust: 1.0
vendor:	microsoft	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	microsoft	model:	iis	scope:	ne	version:	7.5	Trust: 0.3

sources: CERT/CC: VU#276653 // BID: 36189 // JVNDB: JVNDB-2009-002072 // CNNVD: CNNVD-200908-498 // NVD: CVE-2009-3023

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-3023
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#276653
value:	20.81
Trust: 0.8
NVD:	CVE-2009-3023
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200908-498
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2009-3023
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: CERT/CC: VU#276653 // JVNDB: JVNDB-2009-002072 // CNNVD: CNNVD-200908-498 // NVD: CVE-2009-3023

PROBLEMTYPE DATA

problemtype:	CWE-120	Trust: 1.0
problemtype:	CWE-119	Trust: 0.8

sources: JVNDB: JVNDB-2009-002072 // NVD: CVE-2009-3023

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200908-498

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-200908-498

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-002072

PATCH

title:	975191	url:	http://www.microsoft.com/technet/security/advisory/975191.mspx	Trust: 0.8
title:	MS09-053	url:	http://www.microsoft.com/technet/security/bulletin/MS09-053.mspx	Trust: 0.8
title:	975191	url:	http://www.microsoft.com/japan/technet/security/advisory/975191.mspx	Trust: 0.8
title:	MS09-053	url:	http://www.microsoft.com/japan/technet/security/bulletin/ms09-053.mspx	Trust: 0.8
title:	MS09-053e	url:	http://www.microsoft.com/japan/security/bulletins/MS09-053e.mspx	Trust: 0.8
title:	TA09-286A	url:	http://software.fujitsu.com/jp/security/vulnerabilities/ta09-286a.html	Trust: 0.8

sources: JVNDB: JVNDB-2009-002072

EXTERNAL IDS

db:	CERT/CC	id:	VU#276653	Trust: 3.6
db:	NVD	id:	CVE-2009-3023	Trust: 2.7
db:	BID	id:	36189	Trust: 2.7
db:	EXPLOIT-DB	id:	9541	Trust: 2.5
db:	USCERT	id:	TA09-286A	Trust: 2.5
db:	EXPLOIT-DB	id:	9559	Trust: 1.6
db:	VUPEN	id:	ADV-2009-2481	Trust: 1.6
db:	SECUNIA	id:	36443	Trust: 1.1
db:	USCERT	id:	SA09-286A	Trust: 0.8
db:	JVNDB	id:	JVNDB-2009-002072	Trust: 0.8
db:	CNNVD	id:	CNNVD-200908-498	Trust: 0.6
db:	PACKETSTORM	id:	80892	Trust: 0.1
db:	PACKETSTORM	id:	81977	Trust: 0.1

sources: CERT/CC: VU#276653 // BID: 36189 // JVNDB: JVNDB-2009-002072 // PACKETSTORM: 80892 // PACKETSTORM: 81977 // CNNVD: CNNVD-200908-498 // NVD: CVE-2009-3023

REFERENCES

url:	http://www.kb.cert.org/vuls/id/276653	Trust: 2.8
url:	http://www.securityfocus.com/bid/36189	Trust: 2.4
url:	http://www.us-cert.gov/cas/techalerts/ta09-286a.html	Trust: 2.4
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a6080	Trust: 1.6
url:	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053	Trust: 1.6
url:	http://www.exploit-db.com/exploits/9559	Trust: 1.6
url:	http://www.vupen.com/english/advisories/2009/2481	Trust: 1.6
url:	http://www.exploit-db.com/exploits/9541	Trust: 1.6
url:	http://www.microsoft.com/technet/security/advisory/975191.mspx	Trust: 1.1
url:	http://support.microsoft.com/default.aspx?scid=kb%3b%5bln%5d%3bq975191	Trust: 1.0
url:	http://milw0rm.com/exploits/9541	Trust: 0.9
url:	http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-3023	Trust: 0.8
url:	http://www.ipa.go.jp/security/ciadr/vul/20091014-ms09-053.html	Trust: 0.8
url:	http://jvn.jp/cert/jvnta09-286a/	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu276653/index.html	Trust: 0.8
url:	http://jvn.jp/tr/jvntr-2009-23/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-3023	Trust: 0.8
url:	http://secunia.com/advisories/36443	Trust: 0.8
url:	http://isc.sans.org/diary.html?storyid=7039	Trust: 0.8
url:	http://www.us-cert.gov/cas/alerts/sa09-286a.html	Trust: 0.8
url:	http://www.cyberpolice.go.jp/#topics	Trust: 0.8
url:	http://support.microsoft.com/default.aspx?scid=kb;[ln];q975191	Trust: 0.6
url:	http://archives.neohapsis.com/archives/fulldisclosure/2009-08/att-0444/isowarez.pdf	Trust: 0.3
url:	http://www.offensive-security.com/blog/vulndev/microsoft-iis-ftp-5-0-remote-system-exploit/	Trust: 0.3
url:	http://www.microsoft.com/windowsserver2003/iis/default.mspx	Trust: 0.3
url:	http://blogs.technet.com/msrc/archive/2009/09/01/microsoft-security-advisory-975191-released.aspx	Trust: 0.3
url:	http://blogs.technet.com/msrc/archive/2009/09/03/microsoft-security-advisory-975191-revised.aspx	Trust: 0.3
url:	http://blogs.technet.com/srd/archive/2009/09/01/new-vulnerability-in-iis5-and-iis6.aspx	Trust: 0.3
url:	http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0016.html	Trust: 0.3
url:	/archive/1/506297	Trust: 0.3
url:	http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx	Trust: 0.3
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/36443/	Trust: 0.1
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx>	Trust: 0.1
url:	http://www.us-cert.gov/cas/techalerts/ta09-286a.html>	Trust: 0.1
url:	http://www.us-cert.gov/cas/signup.html>.	Trust: 0.1
url:	http://www.us-cert.gov/legal.html>	Trust: 0.1
url:	http://technet.microsoft.com/en-us/wsus/default.aspx>	Trust: 0.1

sources: CERT/CC: VU#276653 // BID: 36189 // JVNDB: JVNDB-2009-002072 // PACKETSTORM: 80892 // PACKETSTORM: 81977 // CNNVD: CNNVD-200908-498 // NVD: CVE-2009-3023

CREDITS

Kingcope※ kingcope@gmx.net

Trust: 0.6

sources: CNNVD: CNNVD-200908-498

SOURCES

db:	CERT/CC	id:	VU#276653
db:	BID	id:	36189
db:	JVNDB	id:	JVNDB-2009-002072
db:	PACKETSTORM	id:	80892
db:	PACKETSTORM	id:	81977
db:	CNNVD	id:	CNNVD-200908-498
db:	NVD	id:	CVE-2009-3023

LAST UPDATE DATE

2024-11-23T20:30:30.634000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#276653	date:	2009-09-02T00:00:00
db:	BID	id:	36189	date:	2010-10-07T08:51:00
db:	JVNDB	id:	JVNDB-2009-002072	date:	2009-10-30T00:00:00
db:	CNNVD	id:	CNNVD-200908-498	date:	2021-08-16T00:00:00
db:	NVD	id:	CVE-2009-3023	date:	2024-11-21T01:06:19.957

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#276653	date:	2009-08-31T00:00:00
db:	BID	id:	36189	date:	2009-08-31T00:00:00
db:	JVNDB	id:	JVNDB-2009-002072	date:	2009-10-07T00:00:00
db:	PACKETSTORM	id:	80892	date:	2009-09-01T07:26:38
db:	PACKETSTORM	id:	81977	date:	2009-10-14T18:32:45
db:	CNNVD	id:	CNNVD-200908-498	date:	2009-08-31T00:00:00
db:	NVD	id:	CVE-2009-3023	date:	2009-08-31T20:30:01.077