MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability

Description

Microsoft Index Server and Indexing Service enables text searches on an internet or intranet site via a web browser. Index Server ships with Windows NT 4.0 Option Pack and Indexing Service ships with Windows 2000.

An unchecked buffer exists in a certain ISAPI extension associated with the Index Server and Indexing Service. A host running Microsoft Index Server or Indexing Service is susceptible to the execution of arbitrary code, due to an unchecked buffer in the 'idq.dll' ISAPI extension. If a request is made, in a particular manner, to a host with 'idq.dll' installed, either Index Server or Indexing Service will experience a buffer overflow and allow the execution of arbitrary code. Unfortunately, the Index Server and Indexing Service runs in the Local System context; therefore, the attacker can specify arbitrary code to be run with Local System privileges.

'idq.dll' provides support for Internet Data Administration (.ida) files and Internet Data Query (.idq) files. In order to exploit this vulnerability script mappings that associate '.idq' and '.ida' files with 'idq.dll' must exist.

It should be noted that Index Server and Indexing Service do not need to be running in order for an attacker to exploit this issue. 'idq.dll' is installed by default when IIS is installed, subsequently IIS would need to be the only service running.

Successful exploitation of this vulnerability could lead to complete compromise of the target host.

It should be noted that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of Microsoft IIS are subject to this issue. Please see the reference section for further information regarding this worm.