Microsoft Index Server and Indexing Service enables text searches on
an internet or intranet site via a web browser. Index Server ships with
Windows NT 4.0 Option Pack and Indexing Service ships with Windows 2000.
An unchecked buffer exists in a certain ISAPI extension associated with the Index
Server and Indexing Service. A host running Microsoft Index Server or Indexing Service
is susceptible to the execution of arbitrary code, due to an unchecked buffer in the
'idq.dll' ISAPI extension. If a request is made, in a particular manner, to
a host with 'idq.dll' installed, either Index Server or Indexing Service will
experience a buffer overflow and allow the execution of arbitrary code. Unfortunately,
the Index Server and Indexing Service runs in the Local System context; therefore,
the attacker can specify arbitrary code to be run with Local System privileges.
'idq.dll' provides support for Internet Data Administration (.ida) files
and Internet Data Query (.idq) files. In order to exploit this vulnerability script mappings
that associate '.idq' and '.ida' files with 'idq.dll' must exist.
It should be noted that Index Server and Indexing Service do not need to be running in
order for an attacker to exploit this issue. 'idq.dll' is installed by default
when IIS is installed, subsequently IIS would need to be the only service running.
Successful exploitation of this vulnerability could lead to complete compromise of the target host.
It should be noted that this vulnerability is currently being exploited by the 'Code Red'
worm. In addition, all products that run affected versions of Microsoft IIS are subject to this issue.
Please see the reference section for further information regarding this worm.