Vulnerability Note VU#952336

Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters

There is a remotely exploitable buffer overflow in the ISAPI (Indexing Service Application Programming Interface) extension (IDQ.DLL) installed with most versions of IIS 4.0 and 5.0. This affects Windows NT 4.0, Windows 2000 (Server and Professional), Windows 2000 Datacenter OEM distributions, Indexing Server 2.0, and the Indexing Services on all Windows 2000 platforms; however, not all of these instances are vulnerable by default. The beta versions of Windows XP are vulnerable by default.

The only precondition for exploiting this vulnerability is that an IIS server is running with script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files. The Indexing Services do not need to be running. As stated by Microsoft in MS01-033:

The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability.

When this buffer overflow is exploited, a remote user may be able run arbitrary code on the victim machine with SYSTEM privileges (which the IIS service has by default).

Microsoft has released patches for this vulnerability that can be downloaded from

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 (NT)
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 (Windows 2000)

For more information, see MS01-033 and the eEye Digital Security bulletin.

Microsoft has released a patch which supercedes the two listed above. Please see MS01-044 for more information.

II. Impact

Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Users of Windows 2000 Datacenter Server software should contact their original equipment manufacturer (OEM) for patches.

Microsoft has released a patch which supercedes the two listed above. Please see MS01-044 for more information.

Workarounds

All affected versions of IIS/Indexing Services can be protected against exploits of this vulnerbility by removing script mappings for for Internet Data Administration (.ida) and Internet Data Query (.idq) files. However, Microsoft makes no guarantees such mappings will not be recreated when installing other related software components.

Users of beta copies of Windows XP should upgrade to a newer version of the software when it becomes available.

Systems Affected

https://www.kb.cert.org/vuls/id/952336
http://www.microsoft.com/technet/security/bulletin/ms01-033.asp
http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
http://support.microsoft.com/support/kb/articles/Q300/9/72.ASP
http://www.eeye.com/html/Research/Advisories/AD20010618.html
http://www.microsoft.com/technet/security/iis5chk.asp
http://www.microsoft.com/technet/security/tools.asp
http://www.securityfocus.com/bid/2880

Credit

Our thanks to Microsoft Corporation and eEye Digital Security for contributing technical information about this vulnerability.

This document was written by Jeffrey S. Havrilla

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.