Detecting Vulnerable IIS-FTP Hosts Using Nmap

Exploit Target
A new 0-day exploit for the FTP server included within the Microsoft IIS suite has been released today. Check the post on the Full Disclosure mailing list for more details.

Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:

  • Check if anonymous sessions are allowed.
  • Check if the detected FTP server is running Microsoft ftpd.
  • Check if the MKDIR command is allowed (this seems to be required by the exploit)

If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!

To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:

# nmap --script-updatedb

Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):

# nmap -p 21 -sV --script=IIS-FTP 10.0.0.7

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST
Interesting ports on test-win (10.0.0.7):
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows

The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.

Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.

12 comments

  1. It seems that LUA variables must be declared now 🙂
    Just add the following line before the while loop (line 61):

    isVuln = false

    Let me know if it worked!

    /x

  2. I know I’m late to the party, but I’m getting an error here with nmap 7.25BETA2.

    NSE: IIS-FTP against :21 threw an error!
    /usr/bin/../share/nmap/scripts/IIS-FTP.nse:84: variable ‘isVuln’ is not declared
    stack traceback:
    [C]: in function ‘error’
    /usr/bin/../share/nmap/nselib/strict.lua:80: in metamethod ‘__index’
    /usr/bin/../share/nmap/scripts/IIS-FTP.nse:84: in function
    (…tail calls…)

  3. @ Zack,

    put the scripts also in /usr/local/share/nmap/scripts folder
    check the folder permission -> chmod 644

    -adios

  4. hi,
    I have created a new file IIS-FTP.nse and paste the code (/usr/local/nmap/scripts).
    issue this command -> nmap –script-updatedb

    When I run it this is the result:
    nmap -p 21 –script=IIS-FTP 192.168.41.2
    Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-04 16:26 PHT
    NSE: failed to initialize the script engine:
    ./nse_main.lua:390: ‘IIS-FTP’ did not match a category, filename, or directory
    stack traceback:
    [C]: in function ‘error’
    ./nse_main.lua:390: in function ‘get_chosen_scripts’
    ./nse_main.lua:594: in main chunk
    [C]: ?

    What are the other steps and command when adding a new script(.nse files)?
    I hope anybody can assist

    by the way insecure and nmap site seems to be not working (some pages)

  5. After digging deeper into the timing problems, it seems that sending

    try(socket:send(“USER anonymous\r\n”))
    try(socket:send(“PASS IEUser@\r\n”))

    direct after each other on a low latency network is too fast for the IIS FTP ! the PASS command isn´t really recognized by the IIS. It responds with “331 Password required” and the script waiting for ^230 obviously runs into a timeout.

    I think the changes below make the script more reliable:

    try(socket:send(“USER anonymous\r\n”))

    while status do
    status, result = socket:receive_lines(1);
    if string.match(result, “^331”) then
    break
    end
    end

    try(socket:send(“PASS IEUser@\r\n”))

    Sorry for a misleading post regarding nmap 5.0 !

    BTW – the origin of this script anon-ftp.nse seems to carry the same problem.

  6. Hey Xavier,

    I was just thinking of writing this exact script. You beat me to it! 🙂

    nmap-dev is for general Nmap discussion. In reality, anything and everything related to Nmap goes there. Scripts, Nmap itself, whatever. I highly recommend posting it there. I’ll link you from my blog, as well.

    Ron

  7. Great Script ! But seems to run in some timing problems with nmap 5.0 – so don´t rely on the results when using nmap 5.x

  8. Hi Fyodor,
    Wow! That’s a great pleasure for me to read a comment from the Nmap author! Congratulations about your fabulous tool.

    I’ll have a look at the mailing list. But according to the name, it’s a list about Nmap developers or it is a list dedicated only to scripts?

  9. Nice! How about announcing your script and blog post to nmap-dev(at)insecure.org so everyone can take a look and discuss it? We love to see new scripts!

  10. Indeed an anonymous as a regular user will give the same results. But performing a dictionary based attack via a Nmap script is not relevant in terms of scan performance…

    If you have a known FTP user in your infrastructure, feel free to replace the credentials in the script.

Leave a Reply

Your email address will not be published. Required fields are marked *