Full Disclosure mailing list archives
Re: Microsoft Internet Information Server ftpd zeroday
From: Thierry Zoller <Thierry () Zoller lu>
Date: Tue, 8 Sep 2009 12:46:40 +0200
Hi Kingcope, Thanks to a hint by "Petar" on the G-SEC blog [1] it appears that the very same bug was present in IIS3 and IIS4 and discovered by eeye in 1999 : http://research.eeye.com/html/advisories/published/AD19990124.html "Microsoft IIS (Internet Information Server) FTP service contains a buffer overflow in the NLST command. This could be used to DoS a remote machine and in some cases execute code remotely." Is this the same bug andwas the bug re-introduced ? Has Microsoft fixed LS but not NLST? "svn" mishap ? Maybe Mudge and/or Dildog can comment - would certainly be interesting to know whether and if HOW this bug was reintroduced. [1] http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html Regards, Thierry ZOLLER -- http://blog.zoller.lu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft Internet Information Server ftpd zeroday Thierry Zoller (Sep 08)