Vulnerability Note VU#657118
Microsoft Windows Indexing Service fails to properly handle query validation
A vulnerability in the Microsoft Indexing Service could allow an attacker to execute arbitrary code on an affected system.
The Microsoft Indexing Service provides applications and scripts with a means of managing, querying, and indexing information in file systems or web servers. It is included as a base service on some versions of Windows. A vulnerability exists in the way that the Indexing Service uses an unchecked buffer in the handling of queries. An attacker with the ability to supply a long, specially-crafted query to the Indexing Service may be able to exploit this vulnerability. Additional details about the nature of the query malformation exploiting this vulnerability are unknown.
The level of exposure to a vulnerable system is dependent on how the Indexing Service is configured:
- If the Indexing Service is not accessible through the web server (IIS), then the vulnerability could only be exploited by a local, authenticated attacker
- If the Indexing Service is accessible through IIS, then the vulnerability could be exploited by a remote attacker
- If access controls have been placed on the query pages, only authenticated remote attackers would be able to exploit this vulnerability
- If access controls have not been placed on the query pages, any anonymous remote attacker would be able to exploit this vulnerability
An attacker may be able to execute code of their choosing on an affected system by constructing a malicious query. The attacker-supplied code would be executed with Local System privileges, resulting in a complete system compromise. Microsoft reports that while remote code execution is possible, an attack would most likely result in a denial of service condition.
Apply a patch from the vendor
Microsoft Security has published Microsoft Security Bulletin MS05-003 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.
Microsoft has published the following workarounds in MS05-003. Users, particularly those who are unable to apply the patches, should consider implementing these workarounds.
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
|•||Block the following at the firewall:|
These ports could be used to initiate a connection with the Indexing Service to perform file system based queries. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability through these ports. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
|•||UDP ports 137 and 138 and TCP ports 139 and 445|
|•||Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003.
If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. We recommend that you block all unsolicited inbound communication from the Internet.
To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:
To configure Internet Connection Firewall manually for a connection, follow these steps:
|Click Start, and then click Control Panel.|
|In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.|
Note If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services that are required.
|Click Start, and then click Control Panel.|
|In the default Category View, click Networking and Internet Connections, and then click Network Connections.|
|Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.|
|Click the Advanced tab.|
|Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.|
|•||Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.
|•||Block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.
|•||Remove the Indexing Service if you do not need it:
If the Indexing Service is no longer needed, you could remove it by following this procedure.
To configure components and services:
|In Control Panel, open Add or Remove Programs. |
|Click Add/Remove Windows Components. |
|Click to clear the Indexing Service check box to remove the Indexing Service.|
|Complete the Windows Components Wizard by following the instructions on the screen. |
|•||You could modify any web pages that use the Index Service to block queries longer than 60 characters. Microsoft Knowledge Base Article 890621 provides more information on how to perform these steps.|
If you are a vendor and your product is affected, let
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||11 Jan 2005|
Thanks to Microsoft Security for reporting this vulnerability.
This document was written by Chad Dougherty based on information provided by Microsoft.
11 Jan 2005
Date First Published:
20 Jan 2005
Date Last Updated:
20 Jan 2005
If you have feedback, comments, or additional information about this vulnerability, please send us email.