Yesterday, I posted an article about a Nmap script to detect potentially vulnerable Microsoft IIS FTP servers.
I updated the script which now allows an alternative FTP user and password pair to be passed via the command line (thanks to Chris for the comment). If no arguments are provided, an anonymous FTP session will be started.
# nmap -p 21 -sV --script=IIS-FTP --scriptargs=ftpuser=foo,ftppass=bar 10.0.0.7
The script location remains the same.
A new 0-day exploit for the FTP server included within the Microsoft IIS suite has been released today. Check the post on the Full Disclosure mailing list for more details.
Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:
- Check if anonymous sessions are allowed.
- Check if the detected FTP server is running Microsoft ftpd.
- Check if the MKDIR command is allowed (this seems to be required by the exploit)
If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!
To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:
# nmap --script-updatedb
Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):
# nmap -p 21 -sV --script=IIS-FTP 10.0.0.7
Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST
Interesting ports on test-win (10.0.0.7):
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows
The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.
Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.