Two IIS Information Disclosure Vulnerabilities

Corey Nachreiner

11 years ago

Severity: Medium

Summary:

These vulnerabilities affect: The IIS FTP service running on Windows Vista, 2008, 7, and 2008 R2
How an attacker exploits them: By sending specially crafted FTP commands or accessing a local log file
Impact: In the worst case, a local attacker can learn the credentials for a local account
What to do: Deploy the appropriate IIS update at your earliest convenience

Exposure:

Internet Information Services (IIS) is the popular Web and FTP server that ships with all server versions of Windows.

In a security bulletin released today as part of Patch Day, Microsoft describes two relatively minor information disclosure vulnerabilities that affect the popular web server and its optional FTP server.

The first is a local credential disclosure vulnerability due to an unprotected log file. Basically, a particular IIS log file stores the credentials for a configured user in clear text. If an attacker can already log into your IIS server, they can learn the credentials of your configured IIS users. Granted, if an attacker can already log into your IIS server, you have bigger problems to solve.

The second issue is an unspecified FTP command injection vulnerability. Microsoft doesn’t describe this flaw in much detail, only saying that an unauthenticated attacker can execute a limited set of FTP commands on IIS servers, by sending specially crafted FTP commands. The attack works even if you do not enable “anonymous” FTP access. According to Microsoft’s bulletin, a malicious client can leverage this vulnerability to “obtain information disclosure on a vulnerable system.” However, they don’t really say what information the attacker can disclose; whether it be access to the files on the FTP site or some other information. Since the IIS FTP service is not enabled by default, and Microsoft only rates this flaw as Moderate, it doesn’t sound that severe.

That said, we still recommend you download, test, and deploy Microsoft’s IIS updates at your earliest convenience.

Solution Path:

Microsoft has released IIS updates to correct these vulnerabilities. If you manage IIS servers, download, test, and deploy the corresponding update at your earliest convenience.

You’ll find links to the updates in the “Affected and Non-Affected Software” section for of Microsoft’s IIS security bulletin.

For All WatchGuard Users:

Since at least one of these attacks is a local-only threat, which a gateway appliance can’t prevent, we recommend you apply the updates described above.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

MS Security Bulletin MS12-073

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)