A critical flaw in the FTP component of Microsoft Internet Information Service (IIS) can allow an attacker to execute malicious commands on a server, Microsoft warned in a new security advisory.
According to a Microsoft Security Research & Defense post, if a vulnerable IIS 5.0 (Windows 2000), 5.1 (XP) or 6.0 (Server 2003) FTP service attempts to list a “long, specially-crafted directory name,” a stack overflow will occur that can allow for remote code execution. IIS 7.0 (Vista, Server 2008) is not vulnerable, according to the post.
To be hit, “an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory.”
There is not yet any patch available, and Microsoft says it has seen “detailed exploit code” available online, though it hasn't yet seen any active attacks. Microsoft's post lists workarounds for the time being, including how to prevent anonymous FTP users from being able to create directories.