Internet Information Services FTP Service Vulnerability

A remote code execution vulnerability has been discovered in Microsoft Internet Information Services (IIS). Successful exploitation of this vulnerability would allow the attacker to take complete control of the affected system. Exploit code is available in the wild.

IIS is a collection of Internet services packaged with several versions of the Windows operating system. IIS includes a FTP server service for exchanging and manipulating files over a TCP computer network.

The vulnerability is due to an error in IIS that fails to do sufficient bounds checking when processing an FTP NLST command. A remote attacker with write access in the FTP service could use this vulnerability to cause a stack-based overrun and execute arbitrary code in the context of the local system.

Although no patch is currently available for this vulnerability, Check Point has 0-day protection available through its IPS products. Check Point IPS Software Blade customers are automatically protected from this vulnerability if they use the ‘Recommended Profile’. SmartDefense customers have been protected against exploits of this vulnerability since March of 2006. IPS-1 has provided dedicated IPS protection since December 2008. See CPAI-2009-153.

Check Point continues to monitor this issue and has provided a protection to a newly discovered vector attack, see CPAI-2009-183.