Microsoft IIS idq.dll ISAPI extension buffer overflow
| iis-isapi-idq-bo (6705) |  High Risk |
Description:
Microsoft Internet Information Server (IIS) is vulnerable to a buffer overflow in the handling of ISAPI (Internet Services Application Programming Interface) extensions. An unchecked buffer in the code that handles idq.dll ISAPI extensions in the Indexing Service for IIS could allow a remote attacker to overflow a buffer and execute code by sending a specially-crafted Indexing Service request. An attacker could exploit this vulnerability to gain complete control over the affected server.
This vulnerability is exploitable using the "Code Red" and "Code Red II" worm. The "Code Red" worm is a self-propagating worm that scans random IP addresses on port 80 searching for vulnerable Web servers. Once a vulnerable Web server is found, the worm performs malicious activity before propagating to other vulnerable hosts. The "Code Red II" worm does not deface Web sites, as the original version of the worm did, but it carries a more serious threat -- it contains a Trojan Horse payload, which could allow any remote attacker to further compromise infected systems. The "Code Red II" worm also has the ability to scan for vulnerable hosts much faster than previous versions, which has already been reported to cause failures in certain network components by overloading them with network traffic.
*CVSS:
| Base Score: | 10 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Complete |
| Integrity Impact: | Complete |
| Availability Impact: | Complete |
| Temporal Score: | 8.7 |
| Exploitability: | High |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
For vulnerability detection:
Enable the following checks in the ISS Protection Platform:
IisIsapiIdqBo
MS01-033
Enable the following checks in the ISS Protection Platform:
HTTP_Code_Red
HTTP_Code_Red_II
HTTP_Code_Red_II_Plus
HTTP_IIS_Index_Server_Overflow
HTTP_IIS_Idq_Overflow
HTTP_IIS_Ida_Overflow
Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80
For Manual Protection:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS01-044. See References.
For Windows XP beta:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it was superseded by the patch released with MS01-044.
For Windows NT 4.0:
Microsoft originally provided a patch for this vulnerability in MS01-033, MS01-041, and MS02-001, but they have been superseded by the Security Roll-up patch released with MS02-018. See References.
For IIS:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS01-044, MS02-018, and MS02-062, and then superseded by the patch released with MS03-018. See References.
For Windows 2000:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS02-001. See References.
References:
- CERT Advisory CA-2001-13: Buffer Overflow In IIS Indexing Service DLL.
- CERT Advisory CA-2001-19: "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.
- CERT Advisory CA-2001-23: Continued Threat of the "Code Red" Worm.
- CERT Incident Note IN-2001-09: "Code Red II:" Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.
- CIAC Information Bulletin L-098: Microsoft Index Server ISAPI Extension Buffer Overflow.
- CIAC Information Bulletin L-117: The Code Red Worm.
- CIAC Information Bulletin L-120: Cisco "Code Red" Worm Impact.
- Cisco Security Notice 2004 March 27 19:30 UTC: Exploit for Multiple Cisco Vulnerabilities.
- Cisco System Field Notice July 20, 2001: "Code Red" Worm - Customer Impact.
- eEye Digital Security Team Alert AD20010618: All versions of Microsoft Internet Information Services Remote buffer overflow (SYSTEM Level Access).
- Internet Security Systems Security Alert #79: Remote IIS Index Server ISAPI Extension Buffer Overflow.
- Internet Security Systems Security Alert #89: X-Force Response to Concern About the "Code Red" Worm.
- Internet Security Systems Security Alert #90: Resurgence of "Code Red" Worm Derivatives.
- Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise. (This security bulletin was superseded by MS01-044.)
- Microsoft Security Bulletin MS01-041: Malformed RPC Request Can Cause Service Failure.
- Microsoft Security Bulletin MS01-044: 15 August 2001 Cumulative Patch for IIS.
- Microsoft Security Bulletin MS01-044: Cumulative Patch for IIS. (Supersedes MS01-033.)
- Microsoft Security Bulletin MS02-001: Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data.
- Microsoft Security Bulletin MS02-018: Cumulative Patch for Internet Information Services (Q319733).
- Microsoft Security Bulletin MS02-062: Cumulative Patch for Internet Information Service (Q327696).
- Microsoft Security Bulletin MS03-018: Cumulative Patch for Internet Information Service (811114).
- National Infrastructure Protection Center Advisory 01-013: "Buffer Overflow Vulnerability in Microsoft's Internet Information Services (IIS) 4.0 and 5.0".
- National Infrastructure Protection Center Advisory 01-015: "Ida Code Red Worm ".
- BID-2880: MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability
- CVE-2001-0500: Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.
- US-CERT VU#952336: Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters
Platforms Affected:
- Microsoft Index Server 2.0
- Microsoft Indexing Service
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
- Microsoft Internet Information Server 6.0 beta
- Microsoft Windows XP beta
Reported:
Jun 18, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.