Microsoft Windows Indexing Service fails to properly handle query validation
Vulnerability Note VU#657118
Original Release Date: 2005-01-20 | Last Revised: 2005-01-20
A vulnerability in the Microsoft Indexing Service could allow an attacker to execute arbitrary code on an affected system.
The Microsoft Indexing Service provides applications and scripts with a means of managing, querying, and indexing information in file systems or web servers. It is included as a base service on some versions of Windows. A vulnerability exists in the way that the Indexing Service uses an unchecked buffer in the handling of queries. An attacker with the ability to supply a long, specially-crafted query to the Indexing Service may be able to exploit this vulnerability. Additional details about the nature of the query malformation exploiting this vulnerability are unknown.
The level of exposure to a vulnerable system is dependent on how the Indexing Service is configured:
If the Indexing Service is not accessible through the web server (IIS), then the vulnerability could only be exploited by a local, authenticated attacker
If the Indexing Service is accessible through IIS, then the vulnerability could be exploited by a remote attacker
If access controls have been placed on the query pages, only authenticated remote attackers would be able to exploit this vulnerability
If access controls have not been placed on the query pages, any anonymous remote attacker would be able to exploit this vulnerability
An attacker may be able to execute code of their choosing on an affected system by constructing a malicious query. The attacker-supplied code would be executed with Local System privileges, resulting in a complete system compromise. Microsoft reports that while remote code execution is possible, an attack would most likely result in a denial of service condition.
Apply a patch from the vendor Microsoft Security has published Microsoft Security Bulletin MS05-003 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.
Microsoft has published the following workarounds in MS05-003. Users, particularly those who are unable to apply the patches, should consider implementing these workarounds.
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
Block the following at the firewall:
UDP ports 137 and 138 and TCP ports 139 and 445
These ports could be used to initiate a connection with the Indexing Service to perform file system based queries. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability through these ports. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. We recommend that you block all unsolicited inbound communication from the Internet.
To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:
Click Start, and then click Control Panel.
In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection, follow these steps:
Click Start, and then click Control Panel.
In the default Category View, click Networking and Internet Connections, and then click Network Connections.
Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
Click the Advanced tab.
Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.
Note If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services that are required.
Enable advanced TCP/IP filtering on systems that support this feature.