• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service.

A host running Microsoft Index Server or Indexing Service is prone to the execution of arbitrary code. If a request to a host with 'idq.dll' installed is made in a particular manner, either Index Server or Indexing Service will experience a buffer overflow and allow arbitrary code to run. Unfortunately, the Index Server and Indexing Service runs in the Local System context; therefore, the attacker can specify arbitrary code to be run with Local System privileges.

The 'idq.dll' DLL provides support for Internet Data Administration (.ida) files and Internet Data Query (.idq) files. To exploit this vulnerability, script mappings that associate '.idq' and '.ida' files with 'idq.dll' must exist.

Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.

Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable.

Microsoft has released a tool that rectifies the damage caused by the 'Code Red II' worm, please see the reference section for details.

**UPDATE**: An aggressive worm that actively exploits this vulnerability is believed to be in the wild.

Affected Products:

• Cisco Building Broadband Service Manager 2.5.1
• Cisco Building Broadband Service Manager 3.0.0
• Cisco Building Broadband Service Manager 4.0.1
• Cisco Building Broadband Service Manager 4.2.0
• Cisco Building Broadband Service Manager 4.3.0
• Cisco Building Broadband Service Manager 4.4.0
• Cisco Building Broadband Service Manager 4.5.0
• Cisco Building Broadband Service Manager 5.0.0
• Cisco Building Broadband Service Manager 5.1.0
• Cisco Building Broadband Service Manager 5.2.0
• Cisco Call Manager
• Cisco Call Manager 1.0.0
• Cisco Call Manager 2.0.0
• Cisco Call Manager 3.0.0
• Cisco Call Manager 3.1.0
• Cisco Call Manager 3.1.0 (2)
• Cisco Call Manager 3.1.0 (3a)
• Cisco Call Manager 3.2.0
• Cisco Call Manager 3.3.0
• Cisco Call Manager 3.3.0 (3)
• Cisco Call Manager 4.0.0
• Cisco Collaboration Server
• Cisco Dynamic Content Adapter
• Cisco ICS 7750
• Cisco ICS Firmware 1.0.0
• Cisco ICS Firmware 2.0.0
• Cisco IP/VC 3540 Application Server
• Cisco Media Blender
• Cisco Trailhead
• Cisco Unity Server
• Cisco Unity Server 2.0.0
• Cisco Unity Server 2.1.0
• Cisco Unity Server 2.2.0
• Cisco Unity Server 2.3.0
• Cisco Unity Server 2.4.0
• Cisco Unity Server 2.46.0
• Cisco Unity Server 3.0.0
• Cisco Unity Server 3.1.0
• Cisco Unity Server 3.2.0
• Cisco Unity Server 3.3.0
• Cisco Unity Server 4.0.0
• Cisco VoIP Phone 7902G
• Cisco VoIP Phone 7905G
• Cisco VoIP Phone 7912G
• Cisco uOne 1.0.0
• Cisco uOne 2.0.0
• Cisco uOne 3.0.0
• Cisco uOne 4.0.0
• Cisco uOne Enterprise Edition
• Microsoft IIS 4.0
• Microsoft IIS 5.0
• Microsoft Index Server 2.0
• Microsoft Indexing Services for Windows 2000

References:

• CERT: CERT Advisory CA-2001-23: Continuing Threat of the "Code Red" Worm
• CERT: CERT Incident Note IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow in IIS
• CERT: CERT Incident Note IN-2001-09: "Code Red II:" Another Worm Exploiting Buffer Ove
• CERT: CERT Incident Note IN-2001-10: "Code Red" Worm Crashes IIS 4.0 Servers with URL
• CERT: CERT® Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL
• CERT: CERT® Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Inde
• CORE Security: IIS IDA-IDQ exploit
• Cisco: Cisco Security Advisory: "Code Red" Worm - Customer Impact
• Cisco Systems: Using Network-Based Application Recognition and Access Control Lists for Blockin
• ISS: X-Force Response to Concern About the "Code Red" Worm
• Microsoft: A Very Real and Present Threat to the Internet
• Microsoft: Microsoft Internet Information Server 4.0 Security Checklist
• Microsoft: Microsoft Security Bulletin MS01-033
• Microsoft: Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP) Now Available
• Microsoft: Secure Internet Information Services 5 Checklist
• Microsoft: Tool to eliminate the obvious effects of the Code Red II worm
• eEye Digital Security: All versions of Microsoft Internet Information Services Remote buffer overflow (

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.