A new 0-day exploit for the FTP server included within the Microsoft IIS suite has been released today. Check the post on the Full Disclosure mailing list for more details.
Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:
- Check if anonymous sessions are allowed.
- Check if the detected FTP server is running Microsoft ftpd.
- Check if the MKDIR command is allowed (this seems to be required by the exploit)
If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!
To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:
# nmap --script-updatedb
Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):
# nmap -p 21 -sV --script=IIS-FTP 10.0.0.7 Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST Interesting ports on test-win (10.0.0.7): PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd |_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable) Service Info: OS: Windows
The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.
Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.
It seems that LUA variables must be declared now 🙂
Just add the following line before the while loop (line 61):
isVuln = false
Let me know if it worked!
/x
I know I’m late to the party, but I’m getting an error here with nmap 7.25BETA2.
NSE: IIS-FTP against :21 threw an error!
/usr/bin/../share/nmap/scripts/IIS-FTP.nse:84: variable ‘isVuln’ is not declared
stack traceback:
[C]: in function ‘error’
/usr/bin/../share/nmap/nselib/strict.lua:80: in metamethod ‘__index’
/usr/bin/../share/nmap/scripts/IIS-FTP.nse:84: in function
(…tail calls…)
@ Zack,
put the scripts also in /usr/local/share/nmap/scripts folder
check the folder permission -> chmod 644
-adios
hi,
I have created a new file IIS-FTP.nse and paste the code (/usr/local/nmap/scripts).
issue this command -> nmap –script-updatedb
When I run it this is the result:
nmap -p 21 –script=IIS-FTP 192.168.41.2
Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-04 16:26 PHT
NSE: failed to initialize the script engine:
./nse_main.lua:390: ‘IIS-FTP’ did not match a category, filename, or directory
stack traceback:
[C]: in function ‘error’
./nse_main.lua:390: in function ‘get_chosen_scripts’
./nse_main.lua:594: in main chunk
[C]: ?
What are the other steps and command when adding a new script(.nse files)?
I hope anybody can assist
by the way insecure and nmap site seems to be not working (some pages)
I’m not sure that write access is required. What if a long enough pathname is already present in the server?
After digging deeper into the timing problems, it seems that sending
try(socket:send(“USER anonymous\r\n”))
try(socket:send(“PASS IEUser@\r\n”))
direct after each other on a low latency network is too fast for the IIS FTP ! the PASS command isn´t really recognized by the IIS. It responds with “331 Password required” and the script waiting for ^230 obviously runs into a timeout.
I think the changes below make the script more reliable:
try(socket:send(“USER anonymous\r\n”))
while status do
status, result = socket:receive_lines(1);
if string.match(result, “^331”) then
break
end
end
try(socket:send(“PASS IEUser@\r\n”))
Sorry for a misleading post regarding nmap 5.0 !
BTW – the origin of this script anon-ftp.nse seems to carry the same problem.
Hey Xavier,
I was just thinking of writing this exact script. You beat me to it! 🙂
nmap-dev is for general Nmap discussion. In reality, anything and everything related to Nmap goes there. Scripts, Nmap itself, whatever. I highly recommend posting it there. I’ll link you from my blog, as well.
Ron
Great Script ! But seems to run in some timing problems with nmap 5.0 – so don´t rely on the results when using nmap 5.x
Hi Fyodor,
Wow! That’s a great pleasure for me to read a comment from the Nmap author! Congratulations about your fabulous tool.
I’ll have a look at the mailing list. But according to the name, it’s a list about Nmap developers or it is a list dedicated only to scripts?
Nice! How about announcing your script and blog post to nmap-dev(at)insecure.org so everyone can take a look and discuss it? We love to see new scripts!
Indeed an anonymous as a regular user will give the same results. But performing a dictionary based attack via a Nmap script is not relevant in terms of scan performance…
If you have a known FTP user in your infrastructure, feel free to replace the credentials in the script.
This is great, but I don’t think it should be limited to anonymous users. I think this could be just as easily executed by an authenticated user.