September 2, 2009 10:20 PDT
The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s security and configuration research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.
Today’s VERT Alert provides information on the Microsoft IIS FTP 0-Day that recently surfaced on milw0rm[1]. This was discussed and has been followed on the SANS ISC Diary[2]. The Metasploit Project announced last night that they had added the exploit to metasploit[3] and posted example output from the exploit[4].
Microsoft’s Response
Microsoft has also released a security bulletin[5] regarding this issue, which has been assigned CVE-2009-3023[6]. Microsoft has suggested that users of IIS FTP 5.0, 5.1, and 6.0 ensure they disable write access for anonymous users, and disable the ability for FTP users to create directories.
Assessing Your Systems
Current nCircle IP360 customers can determine affected systems with the following nCircle Focus© query:
Focus query: app:"Microsoft IIS FTP Service 5.x" OR app:"Microsoft IIS FTP Service 6.x"
[1] http://www.milw0rm.com/
[2] http://isc.sans.org/diary.html?storyid=7039
[3] http://twitter.com/metasploit/status/3700709819
[4] http://pastie.org/601730
[5] http://www.microsoft.com/technet/security/advisory/975191.mspx
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3023