Vulnerability Note VU#952336

Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters

Original Release date: 19 Jun 2001 | Last revised: 16 Aug 2001

Overview

A vulnerability exists in the Indexing services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. Exploitations of this vulnerability allows a remote intruder to run arbitrary code on the victim machine.

Description

There is a remotely exploitable buffer overflow in the ISAPI (Indexing Service Application Programming Interface) extension (IDQ.DLL) installed with most versions of IIS 4.0 and 5.0. This affects Windows NT 4.0, Windows 2000 (Server and Professional), Windows 2000 Datacenter OEM distributions, Indexing Server 2.0, and the Indexing Services on all Windows 2000 platforms; however, not all of these instances are vulnerable by default. The beta versions of Windows XP are vulnerable by default.

The only precondition for exploiting this vulnerability is that an IIS server is running with script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files. The Indexing Services do not need to be running. As stated by Microsoft in MS01-033:

The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability.

When this buffer overflow is exploited, a remote user may be able run arbitrary code on the victim machine with SYSTEM privileges (which the IIS service has by default).

Microsoft has released patches for this vulnerability that can be downloaded from

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 (NT)
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 (Windows 2000)

For more information, see MS01-033 and the eEye Digital Security bulletin.

Microsoft has released a patch which supercedes the two listed above. Please see MS01-044 for more information.

Impact

Remote intruders can execute arbitrary code with SYSTEM privileges in the Local System security context.

Solution

Apply patches for vulnerable Windows NT 4.0 and Windows 2000 systems:
Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Users of Windows 2000 Datacenter Server software should contact their original equipment manufacturer (OEM) for patches.

Microsoft has released a patch which supercedes the two listed above. Please see MS01-044 for more information.

Workarounds


All affected versions of IIS/Indexing Services can be protected against exploits of this vulnerbility by removing script mappings for for Internet Data Administration (.ida) and Internet Data Query (.idq) files. However, Microsoft makes no guarantees such mappings will not be recreated when installing other related software components.

Users of beta copies of Windows XP should upgrade to a newer version of the software when it becomes available.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MicrosoftAffected18 Jun 200116 Aug 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Our thanks to Microsoft Corporation and eEye Digital Security for contributing technical information about this vulnerability.

This document was written by Jeffrey S. Havrilla

Other Information

  • CVE IDs: CAN-2001-0500
  • CERT Advisory: CA-2001-13
  • Date Public: 18 Jun 2001
  • Date First Published: 19 Jun 2001
  • Date Last Updated: 16 Aug 2001
  • Severity Metric: 69.30
  • Document Revision: 29

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.