Reported May 14, 2001, by Microsoft.
VERSIONS AFFECTED
-
Microsoft Internet Information Server 4.0
-
Microsoft Internet Information Services 5.0
DESCRIPTION
Three
vulnerabilities were recently discovered in Microsoft’s Internet Information
Server (IIS) 4.0 and Microsoft’s Internet Information Services (IIS) 5.0 that
can lead to a Denial of Service (DoS), remote code execution, and information
disclosure. The DoS vulnerability is in the function that processes wild-card
service requests for the FTP service. The remote code execution vulnerability
lets a potential attacker run scripts on the server by using the security
context of IUSR_machinename, which by default appears in the Everyone group. The
information disclosure vulnerability lets an attacker find guest accounts that
FTP inadvertently exposed. You can find more detailed information about these
vulnerabilities on Microsoft’s Web
site.
VENDOR RESPONSE
The vendor, Microsoft, has acknowledged these vulnerabilities and recommends that users immediately apply the patch contained in Security Bulletin MS01-026.
CREDIT
Discovered
by Nsfocus, Lukasz Luzar, Aiden O’Rawe, and Kevin Kotas.