New IIS attacks - TrafficScript to the rescue

I've just seen an article on The Register about a new exploit in the wild. Microsoft IIS FTP service is vulnerable to a new exploit, see: Microsoft Security Advisory (975191). Fortunately you can quickly protect your FTP server with just a few lines of TrafficScript.

TrafficScript Request Rule

The TrafficScript below will detect common exploit attempts, deny them from reaching the FTP service, and log a warning in your event log.

$data = request.get( request.getLength());
if ( String.regexMatch($data, "LIST -R.*/\\.\\./" ) ) {
   log.warn("Exploit Attempt from: " . request.getRemoteIP() . " Request: " . $data );
   request.sendResponse( "553 Nice Try!\n");
}

You will need to configure this rule as a request rule, and set it to run "every time".

The issue stems from a problem in the IIS Globbing functionality, and is exploitable by even anonymous users as long as they have read access to a directory.

Web Application Protection

Although this particular problem is with the FTP service, it is important to protect all of the services you provide by using a multi-layered approach to security. The most common target, and most ubiquitous on the internet at large is the Web Server. At Zeus we highly recommend that you think about deploying a Web Application Firewall (WAF) to protect your public facing web services. Recently Zeus launched a new plugin which provides ZXTM with WAF functionality. See ZXTM AFM for more information.

Mark Boddington [Zeus Systems Engineering] 07 September 2009

Leave a comment ...

Recently...

Other Resources

About this site. The Zeus KnowledgeHub service is provided without warranty, and articles and comments may not reflect the views of Zeus Technology. For technical support queries, please contact Zeus Technical Support. Disclaimer and Privacy statement.