MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check) - Nessus

Critical   Plugin ID: 40825

This page contains detailed information about the MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 40825
Name: MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)
Filename: iis5_ftp_overflow.nasl
Vulnerability Published: 2009-09-01
This Plugin Published: 2009-10-13
Last Modification Time: 2020-08-05
Plugin Version: 1.29
Plugin Type: remote
Plugin Family: FTP
Dependencies: ftp_anonymous.nasl, ftp_writeable_directories.nasl
Required KB Items [?]: ftp/tested_writeable_dir

Vulnerability Information

Severity: Critical
Vulnerability Published: 2009-09-01
Patch Published: 2009-10-13
CVE [?]: CVE-2009-3023
CPE [?]: cpe:/a:microsoft:iis

Synopsis

The remote anonymous FTP server seems vulnerable to an arbitrary code execution attack.

Description

The remote FTP server allows anonymous users to create directories in one or more locations.

The remote version of this server is vulnerable to a buffer overflow attack in the NLST command which, when coupled with the ability to create arbitrary directories, may allow an attacker to execute arbitrary commands on the remote Windows host with SYSTEM privileges.

Solution

Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and 7.0.

Public Exploits

Target Network Port(s): 21
Target Asset(s): Services/ftp
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check) vulnerability:

  1. Metasploit: exploit/windows/ftp/ms09_053_ftpd_nlst
    [MS09-053 Microsoft IIS FTP Server NLST Response Overflow]
  2. Exploit-DB: exploits/windows/remote/16740.rb
    [EDB-16740: Microsoft IIS FTP Server - NLST Response Overflow (MS09-053) (Metasploit)]
  3. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2009-3023
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:8.3 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.3 (High)
STIG Severity [?]: I
STIG Risk Rating: High

Go back to menu.

Plugin Source

This is the iis5_ftp_overflow.nasl nessus plugin source code. This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof. 

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(40825);
 script_version("1.29");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");

  script_cve_id("CVE-2009-3023");
 script_bugtraq_id(36189);
 script_xref(name:"CERT", value:"276653");
 script_xref(name:"IAVB", value:"2009-B-0052-S");
 script_xref(name:"MSFT", value:"MS09-053");
 script_xref(name:"MSKB", value:"975191");
 script_xref(name:"MSKB", value:"975254");

 script_name(english:"MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check)");
 script_summary(english:"Checks the version of IIS FTP");

 script_set_attribute(attribute:"synopsis", value:
"The remote anonymous FTP server seems vulnerable to an arbitrary code
execution attack.");
 script_set_attribute(attribute:"description", value:
"The remote FTP server allows anonymous users to create directories in
one or more locations.

The remote version of this server is vulnerable to a buffer overflow
attack in the NLST command which, when coupled with the ability to
create arbitrary directories, may allow an attacker to execute
arbitrary commands on the remote Windows host with SYSTEM privileges.");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?ce9a6597");
  script_set_attribute(attribute:"see_also", value:"http://securityvulns.com/files/iiz5.pl");
  # https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/975191
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?0fea77dc");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and
7.0.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3023");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(119);

 script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/01");
 script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
 script_set_attribute(attribute:"stig_severity", value:"I");
 script_end_attributes();

 script_category(ACT_DENIAL);
 script_family(english:"FTP");
  script_copyright(english:"This script is Copyright (C) 2009-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

 script_dependencies("ftp_anonymous.nasl", "ftp_writeable_directories.nasl");
 script_require_ports("Services/ftp", 21);
 script_require_keys("ftp/tested_writeable_dir");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include('ftp_func.inc');

exit(0);


port = get_ftp_port(default: 21);
dir = get_kb_item("ftp/"+port+"/tested_writeable_dir");
if (! dir) exit(0, "No writeable dir found on port"+port+".");

banner = get_ftp_banner(port:port);
if ( isnull(banner) ) exit(1, "Could not retrieve the FTP server's banner");
if ( egrep(pattern:"^22.* Microsoft FTP Service \(Version 5\.[01]\)", string:banner) )
	security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server');
else if ( !egrep(pattern:"^22.* Microsoft FTP Service \(Version ", string:banner )) {
    soc = open_sock_tcp(port);
    if ( ! soc ) exit(1, "Could not connect to the remote FTP server on port "+port+".");
    banner = ftp_recv_line(socket:soc);
    if ( ! ftp_authenticate(user:"anonymous", pass:"joe@", socket:soc) )
     exit(1, "Could not log into the remote FTP server on port "+port+".");
    send(socket:soc, data:'STAT\r\n');
    r = ftp_recv_line(socket:soc);
    if ( "Microsoft Windows NT FTP Server status" >< r &&
	 ("Version 5.0" >< r || "Version 5.1" >< r ) ) security_hole(port:port, extra:'The directory ' + dir + ' could be used to exploit the server.');
 }

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/iis5_ftp_overflow.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\iis5_ftp_overflow.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/iis5_ftp_overflow.nasl

Go back to menu.

How to Run

Here is how to run the MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select FTP plugin family.
  6. On the right side table select MS09-053: Microsoft IIS FTPd NLST Command Remote Buffer Overflow (975191) (uncredentialed check) plugin ID 40825.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl iis5_ftp_overflow.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a iis5_ftp_overflow.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - iis5_ftp_overflow.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state iis5_ftp_overflow.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: MSKB | Microsoft Knowledge Base: MSFT | Microsoft Security Bulletin:
  • MS09-053
IAVB | Information Assurance Vulnerability Bulletin:
  • 2009-B-0052-S
CERT | Computer Emergency Response Team: CWE | Common Weakness Enumeration:
  • CWE-119 (Weakness) Improper Restriction of Operations within the Bounds of a Memory Buffer
See also: Similar and related Nessus plugins:
  • 42109 - MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
  • 10657 - MS01-023: Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow (953155) (uncredentialed check)
  • 50062 - MS09-017 / MS09-021 / MS09-027: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (967340 / 969462 / 969514) (Mac OS X)
  • 50063 - MS09-067 / MS09-068: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (972652 / 976307) (Mac OS X)
  • 40887 - MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (EDUCATEDSCHOLAR) (uncredentialed check)
  • 35362 - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)
  • 35635 - MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) (uncredentialed check)
  • 39622 - MS09-032: Cumulative Security Update of ActiveX Kill Bits (973346)
  • 39783 - MS09-043: Vulnerabilities in Microsoft Office Web Components Control Could Allow Remote Code Execution (973472)
  • 35361 - MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687)
  • 35630 - MS09-002: Cumulative Security Update for Internet Explorer (961260)
  • 35632 - MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)
  • 36148 - MS09-010: Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
  • 36150 - MS09-012: Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
  • 36152 - MS09-014: Cumulative Security Update for Internet Explorer (963027)
  • 39341 - MS09-019: Cumulative Security Update for Internet Explorer (969897)
  • 39342 - MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
  • 39344 - MS09-022: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
  • 39349 - MS09-027: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
  • 39791 - MS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
  • 40556 - MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
  • 40562 - MS09-043: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)
  • 40891 - MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
  • 42106 - MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)
  • 42107 - MS09-051: Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)
  • 42110 - MS09-054: Cumulative Security Update for Internet Explorer (974455)
  • 42112 - MS09-056: Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)
  • 42117 - MS09-061: Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
  • 42439 - MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
  • 42441 - MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
  • 43064 - MS09-072: Cumulative Security Update for Internet Explorer (976325)
  • 108811 - Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
  • 15628 - Ability FTP Server Multiple Command Remote Buffer Overflows
  • 51366 - ProFTPD < 1.3.3d 'mod_sql' Buffer Overflow
  • 70446 - ProFTPD TELNET IAC Escape Sequence Remote Buffer Overflow

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file iis5_ftp_overflow.nasl version 1.29. For more plugins, visit the Nessus Plugin Library.

Go back to menu.