Rapid7 Vulnerability & Exploit Database

MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability

Back to Search

MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
07/21/2001
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

Microsoft Index Server and Indexing Service enables text searches on an internet or intranet site via a web browser. Index Server ships with Windows NT 4.0 Option Pack and Indexing Service ships with Windows 2000.

An unchecked buffer exists in a certain ISAPI extension associated with the Index Server and Indexing Service. A host running Microsoft Index Server or Indexing Service is susceptible to the execution of arbitrary code, due to an unchecked buffer in the 'idq.dll' ISAPI extension. If a request is made, in a particular manner, to a host with 'idq.dll' installed, either Index Server or Indexing Service will experience a buffer overflow and allow the execution of arbitrary code. Unfortunately, the Index Server and Indexing Service runs in the Local System context; therefore, the attacker can specify arbitrary code to be run with Local System privileges.

'idq.dll' provides support for Internet Data Administration (.ida) files and Internet Data Query (.idq) files. In order to exploit this vulnerability script mappings that associate '.idq' and '.ida' files with 'idq.dll' must exist.

It should be noted that Index Server and Indexing Service do not need to be running in order for an attacker to exploit this issue. 'idq.dll' is installed by default when IIS is installed, subsequently IIS would need to be the only service running.

Successful exploitation of this vulnerability could lead to complete compromise of the target host.

It should be noted that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of Microsoft IIS are subject to this issue. Please see the reference section for further information regarding this worm.

Solution(s)

  • http-iis-0044

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;