CVE-2009-2521

Stack consumption vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows remote authenticated users to cause a denial of service (daemon crash) via a list (ls) -R command containing a wildcard that references a subdirectory, followed by a .. (dot dot), aka IIS FTP Service DoS Vulnerability.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Potential Mitigations

• Mitigation of resource exhaustion attacks requires that the target system either:

• The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

• The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/147.html
• https://cwe.mitre.org/data/definitions/227.html
• https://cwe.mitre.org/data/definitions/492.html

References

• http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html
• http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ975191
• http://www.us-cert.gov/cas/techalerts/TA09-286A.html
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6508
• http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html
• http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ975191
• http://www.us-cert.gov/cas/techalerts/TA09-286A.html
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6508