CVE-2009-2521

Name of the Vulnerable Software and Affected Versions Microsoft Internet Information Services (IIS) versions 5.0 through 7.0

Description The issue is a stack consumption vulnerability in the FTP Service of Microsoft Internet Information Services (IIS). It allows remote authenticated users to cause a denial of service (daemon crash) via a list (ls) -R command containing a wildcard that references a subdirectory, followed by a .. (dot dot). This vulnerability is due to a recursive function SimulateLsWorker in the ftpsvc2.dll module, which is located in the C:Windowssystem32inetsrv directory. The error in this function makes the recursion infinite, leading to stack exhaustion and resulting in the process handling the user request crashing.

Recommendations For Microsoft Internet Information Services (IIS) versions 5.0 through 7.0, consider disabling the FTP Service as a temporary workaround until a patch is available. Restrict access to the ftpsvc2.dll module to minimize the risk of exploitation. Avoid using the list (ls) -R command with wildcards that reference subdirectories followed by .. (dot dot) in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.