September 1, 2009

A quick grep on recent IIS Ftp 0day

You must have already heard about recently released 0day for Mircosoft IIS 5.0/6.0 .Well , I`m glad that I've started a project some times ago about gaining knowledge of Iranian`s public IP addresses .
So , in case you're curious how many _possible_ victims may be out there in Iran before I publicly release my paper about the entire analysis , below is a quick grep for your estimations :)


$>cat IRAN | grep -i "microsoft ftp" -c
914

$>cat IRAN | grep -i "microsoft ftpd 5" -c
62
[*Numbers updated,as I used the wrong source for grep at first]

'microsoft ftp' represent IIS 6.0 Ftp , and 5.0 is clear . Since it`s not an intrusive kind of grep for now, I can not tell you how many of above numbers may be really affected since :

1-Vulnerability is NOT triggerable on default IIS (only 6.0 tested) because ~>
2-Exploiting this vulnerability require privileged (write) access on ftp and ~>
3-Even if anonymous access is allowed , it does NOT have write access by default, and ~>
4-Unrelated fact: exploiting IIS Ftpd 6.0 will lead to unprivileged code-exec since Windows 2003 is NOT running IIS as SYSTEM, like IIS 5.0 does .



No comments:

Post a Comment