• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Microsoft Index Server and Indexing Service enables text searches on an internet or intranet site via a web browser. Index Server ships with Windows NT 4.0 Option Pack and Indexing Service ships with Windows 2000.

An unchecked buffer exists in a certain ISAPI extension associated with the Index Server and Indexing Service.

A host running Microsoft Index Server or Indexing Service is susceptible to the execution of arbitrary code, due to an unchecked buffer in the 'idq.dll' ISAPI extension. If a request is made, in a particular manner, to a host with 'idq.dll' installed, either Index Server or Indexing Service will experience a buffer overflow and allow the execution of arbitrary code. Unfortunately, the Index Server and Indexing Service runs in the Local System context; therefore, the attacker can specify arbitrary code to be run with Local System privileges.

'idq.dll' provides support for Internet Data Administration (.ida) files and Internet Data Query (.idq) files. In order to exploit this vulnerability script mappings that associate '.idq' and '.ida' files with 'idq.dll' must exist.

It should be noted that Index Server and Indexing Service do not need to be running in order for an attacker to exploit this issue. 'idq.dll' is installed by default when IIS is installed, subsequently IIS would need to be the only service running.

Successful exploitation of this vulnerability could lead to complete compromise of the target host.

It should be noted that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of Microsoft IIS are subject to this issue. Please see the reference section for further information regarding this worm.

Microsoft has released a tool which rectifies the damage caused by the 'Code Red II' worm, please see the reference section for further information regarding this tool.

**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

Affected Products:

• Cisco Building Broadband Service Manager 2.5.1
• Cisco Building Broadband Service Manager 3.0.0
• Cisco Building Broadband Service Manager 4.0.1
• Cisco Building Broadband Service Manager 4.2.0
• Cisco Building Broadband Service Manager 4.3.0
• Cisco Building Broadband Service Manager 4.4.0
• Cisco Building Broadband Service Manager 4.5.0
• Cisco Building Broadband Service Manager 5.0.0
• Cisco Building Broadband Service Manager 5.1.0
• Cisco Building Broadband Service Manager 5.2.0
• Cisco Call Manager
• Cisco Call Manager 1.0.0
• Cisco Call Manager 2.0.0
• Cisco Call Manager 3.0.0
• Cisco Call Manager 3.1.0
• Cisco Call Manager 3.1.0(2)
• Cisco Call Manager 3.1.0(3a)
• Cisco Call Manager 3.2.0
• Cisco Call Manager 3.3.0
• Cisco Call Manager 3.3.0(3)
• Cisco Call Manager 4.0.0
• Cisco Collaboration Server 0.0.0
• Cisco Dynamic Content Adapter 0.0.0
• Cisco ICS 7750 0.0.0
• Cisco ICS Firmware 1.0.0
• Cisco ICS Firmware 2.0.0
• Cisco IP/VC 3540 Application Server 0.0.0
• Cisco Media Blender 0.0.0
• Cisco Trailhead 0.0.0
• Cisco Unity Server 0.0.0
• Cisco Unity Server 2.0.0
• Cisco Unity Server 2.1.0
• Cisco Unity Server 2.2.0
• Cisco Unity Server 2.3.0
• Cisco Unity Server 2.4.0
• Cisco Unity Server 2.46.0
• Cisco Unity Server 3.0.0
• Cisco Unity Server 3.1.0
• Cisco Unity Server 3.2.0
• Cisco Unity Server 3.3.0
• Cisco Unity Server 4.0.0
• Cisco VoIP Phone 7902G
• Cisco VoIP Phone 7905G
• Cisco VoIP Phone 7912G
• Cisco uOne 1.0.0
• Cisco uOne 2.0.0
• Cisco uOne 3.0.0
• Cisco uOne 4.0.0
• Cisco uOne Enterprise Edition 0.0.0
• Microsoft IIS 4.0.0
• Microsoft IIS 5.0
• Microsoft Index Server 2.0.0
• Microsoft Indexing Services for Windows 2000 0.0.0

References:

• CERT: CERT Advisory CA-2001-23: Continuing Threat of the "Code Red" Worm
• CERT: CERT Incident Note IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow in IIS
• CERT: CERT Incident Note IN-2001-09: "Code Red II:" Another Worm Exploiting Buffer Ove
• CERT: CERT Incident Note IN-2001-10: "Code Red" Worm Crashes IIS 4.0 Servers with URL
• CERT: CERT® Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL
• CERT: CERT® Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Inde
• CORE Security: IIS IDA-IDQ exploit
• Cisco: Cisco Security Advisory: "Code Red" Worm - Customer Impact
• Cisco Systems: Using Network-Based Application Recognition and Access Control Lists for Blockin
• ISS: X-Force Response to Concern About the "Code Red" Worm
• Microsoft: A Very Real and Present Threat to the Internet
• Microsoft: Microsoft Internet Information Server 4.0 Security Checklist
• Microsoft: Microsoft Security Bulletin MS01-033
• Microsoft: Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP) Now Available
• Microsoft: Secure Internet Information Services 5 Checklist
• Microsoft: Tool to eliminate the obvious effects of the Code Red II worm
• eEye Digital Security: All versions of Microsoft Internet Information Services Remote buffer overflow (

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.