Microsoft IIS idq.dll ISAPI extension buffer overflow

iis-isapi-idq-bo (6705)

High Risk

Description:

Microsoft Internet Information Server (IIS) is vulnerable to a buffer overflow in the handling of ISAPI (Internet Services Application Programming Interface) extensions. An unchecked buffer in the code that handles idq.dll ISAPI extensions in the Indexing Service for IIS could allow a remote attacker to overflow a buffer and execute code by sending a specially-crafted Indexing Service request. An attacker could exploit this vulnerability to gain complete control over the affected server.

This vulnerability is exploitable using the "Code Red" and "Code Red II" worm. The "Code Red" worm is a self-propagating worm that scans random IP addresses on port 80 searching for vulnerable Web servers. Once a vulnerable Web server is found, the worm performs malicious activity before propagating to other vulnerable hosts. The "Code Red II" worm does not deface Web sites, as the original version of the worm did, but it carries a more serious threat -- it contains a Trojan Horse payload, which could allow any remote attacker to further compromise infected systems. The "Code Red II" worm also has the ability to scan for vulnerable hosts much faster than previous versions, which has already been reported to cause failures in certain network components by overloading them with network traffic.

Platforms Affected:

• Microsoft, IIS 4.0
• Microsoft, IIS 5.0
• Microsoft, Index Server 2.0
• Microsoft, Indexing Service
• Microsoft, Internet Information Server 6.0 Beta
• Microsoft, Windows XP Beta

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
IisIsapiIdqBo
MS01-033

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
HTTP_Code_Red
HTTP_Code_Red_II
HTTP_Code_Red_II_Plus
HTTP_IIS_Index_Server_Overflow
HTTP_IIS_Idq_Overflow
HTTP_IIS_Ida_Overflow

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80

For Manual Protection:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS01-044. See References.

For Windows XP beta:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it was superseded by the patch released with MS01-044.

For Windows NT 4.0:
Microsoft originally provided a patch for this vulnerability in MS01-033, MS01-041, and MS02-001, but they have been superseded by the Security Roll-up patch released with MS02-018. See References.

For IIS:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS01-044, MS02-018, and MS02-062, and then superseded by the patch released with MS03-018. See References.

For Windows 2000:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS02-001. See References.

Consequences:

Gain Access

References:

• CERT Advisory CA-2001-13, Buffer Overflow In IIS Indexing Service DLL at http://www.cert.org/advisories/CA-2001-13.html.
• CERT Advisory CA-2001-19, "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL at http://www.cert.org/advisories/CA-2001-19.html.
• CERT Advisory CA-2001-23, Continued Threat of the "Code Red" Worm at http://www.cert.org/advisories/CA-2001-23.html.
• CERT Incident Note IN-2001-09, "Code Red II:" Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL at http://www.cert.org/incident_notes/IN-2001-09.html.
• CIAC Information Bulletin L-098, Microsoft Index Server ISAPI Extension Buffer Overflow at http://www.ciac.org/ciac/bulletins/l-098.shtml.
• CIAC Information Bulletin L-117, The Code Red Worm at http://www.ciac.org/ciac/bulletins/l-117.shtml.
• CIAC Information Bulletin L-120, Cisco "Code Red" Worm Impact at http://www.ciac.org/ciac/bulletins/l-120.shtml.
• Cisco Security Notice 2004 March 27 19:30 UTC, Exploit for Multiple Cisco Vulnerabilities at http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml.
• Cisco System Field Notice July 20, 2001, "Code Red" Worm - Customer Impact at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml.
• eEye Digital Security Team Alert AD20010618, All versions of Microsoft Internet Information Services Remote buffer overflow (SYSTEM Level Access) at http://www.eeye.com/html/Research/Advisories/AD20010618.html.
• Internet Security Systems Security Alert #79, Remote IIS Index Server ISAPI Extension Buffer Overflow at http://www.iss.net/xforce/alerts/id/advise79.
• Internet Security Systems Security Alert #89, X-Force Response to Concern About the "Code Red" Worm at http://www.iss.net/xforce/alerts/id/advise89.
• Internet Security Systems Security Alert #90, Resurgence of "Code Red" Worm Derivatives at http://www.iss.net/xforce/alerts/id/advise90.
• Microsoft Security Bulletin MS01-033, Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise at http://www.microsoft.com/technet/security/bulletin/ms01-033.mspx. (This security bulletin was superseded by MS01-044.)
• Microsoft Security Bulletin MS01-041, Malformed RPC Request Can Cause Service Failure at http://www.microsoft.com/technet/security/bulletin/ms01-041.mspx.
• Microsoft Security Bulletin MS01-044, 15 August 2001 Cumulative Patch for IIS at http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx.
• Microsoft Security Bulletin MS01-044, Cumulative Patch for IIS at http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx. (Supersedes MS01-033.)
• Microsoft Security Bulletin MS02-001, Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data at http://www.microsoft.com/technet/security/bulletin/ms02-001.mspx.
• Microsoft Security Bulletin MS02-018, Cumulative Patch for Internet Information Services (Q319733) at http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx.
• Microsoft Security Bulletin MS02-062, Cumulative Patch for Internet Information Service (Q327696) at http://www.microsoft.com/technet/security/Bulletin/MS02-062.mspx.
• Microsoft Security Bulletin MS03-018, Cumulative Patch for Internet Information Service (811114) at http://www.microsoft.com/technet/security/bulletin/ms03-018.mspx.
• National Infrastructure Protection Center Advisory 01-013, "Buffer Overflow Vulnerability in Microsoft's Internet Information Services (IIS) 4.0 and 5.0" at http://www.nipc.gov/warnings/advisories/2001/01-013.htm.
• National Infrastructure Protection Center Advisory 01-015, "Ida Code Red Worm " at http://www.nipc.gov/warnings/advisories/2001/01-015.htm.
• BID-2880: MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability
• CVE-2001-0500: Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.
• US-CERT VU#952336: Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters

Reported:

Jun 18, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page