Tuesday, September 1, 2009

Detecting Vulnerable IIS-FTP Hosts Using Nmap

A new 0-day exploit for the FTP server included within the Microsoft IIS suite has been released today. Check the post on the Full Disclosure mailing list for more details.

Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:
Check if anonymous sessions are allowed.
Check if the detected FTP server is running Microsoft ftpd.
Check if the MKDIR command is allowed (this seems to be required by the exploit)

If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!

The script is available here

To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index

Source: rootshell.be

1 comment:

ntxploits said...

Sorry, that document is gone or never existed

http://seclists.org/fulldisclosure/2009/Aug/0443.html