20 June, 2001
Symantec Enterprise Security Solutions protect against the Microsoft Windows IIS Index Server ISAPI System-level Remote Access Buffer Overflow

IIS 4.0 on Microsoft Windows NT 4.0
IIS 5.0 on Windows 2000 Servers
IIS 6.0 beta on Windows XP beta

Symantec Corporation advises its customers to be aware of a remote access buffer overflow vulnerability in indexing service ISAPI extensions that has been discovered in Microsoft's Windows NT 4.0 IIS 4.0 web servers as well as in Windows 2000 IIS 5.0 web servers. The vulnerability also exists in the beta version of IIS 6.0 running on Windows XP beta. The vulnerability can result in either a Denial of Service (DoS) against the affected server or, if fully exploited, allow an attacker to run arbitrary code on the targeted server with SYSTEM-level privileges, achieving complete control over the targeted web server.

This vulnerability was discovered by the eEye Digital Security Team and acknowledged by Microsoft.

Per Microsoft, IIS installs several Internet Service API (ISAPI) extensions, dynamic linked libraries (dlls) that provide functionality within IIS. In the case of this particular buffer overflow vulnerability, the offending culprit is the "idq.dll". The "idq.dll" provides support for internet data administrative script files ".ida" and internet data queries files ".idq" for indexing server 2.0 and indexing services. The indexing server 2.0 and indexing services provide full-text search and indexing service to search data on a web server or site.

The buffer overflow vulnerability exists because the "idq.dll" ISAPI extension fails to do proper bounds checking on user input URLs. A remote attacker connecting to the vulnerable web server can initiate an attack that will overflow the buffer, causing at least a DoS of the server, or at worst, allow code of their choice to run on the targeted server. Such code running in the Local System security context would give the attacker complete control of the server thus enabling them to take virtually any action on the target server they chose.

The attacker could exploit the vulnerability against any server that they can conduct a web session.

NOTE: Neither indexing server 2.0 (NT 4.0) nor indexing services (Win2K) need to be activated to exploit this vulnerability. By default, whenever IIS is installed, the offending dll is installed.
Symantec Corporation advises customers this is a high-risk vulnerability. Anyone currently running IIS 4.0 or IIS 5.0 is advised to immediately install the Microsoft-issued patch for their respective installation. Alternatively, customers who cannot install the patch immediately can temporarily protect their systems by removing the mapping for the .ida and .idq as explained in the MS Bulletin FAQ.

CAUTION: Adding additional Window's components using the "Add/Remove Programs" function in "Control Panels" causes a system reconfigure that reactivates mapping for both .ida and .idq, so this is NOT a recommended security solution except as a temporary "workaround" until the appropriate patch can be installed.

Risk Impact:

Security Solution:
Microsoft has developed hotfixes available for this vulnerability in MS WinNT4.0 and MS Win2K.
The hotfix for MS WinNT4.0 and the hotfix for Microsoft Windows 2000 Server and Advanced Server are available from the respective Microsoft TechNet Security pages. According to Microsoft, for customers running Microsoft Windows 2000 Datacenter Server, patches are hardware-specific and available from the original equipment manufacturer. For customers beta testing Windows XP beta, the vulnerability will be eliminated in the next beta update as well as the final, released version of the product. If you are running one of the vulnerable systems or applications, you should immediately download and apply the appropriate security hotfix.

Symantec Enterprise Solutions:
Enterprise Security Manager (ESM), Symantec's policy compliance and vulnerability management system, helps manage security patch update functions for you through the ESM patch module. Two new patch templates are available that detect this vulnerability on Windows NT 4.0 and Windows 2000 servers. Extract the new templates into the ESM Manager's /esm/template directory:

NetProwler, Symantec's network-based intrusion detection tool, with Security Update 8 installed is capable of detecting attempts to attack your IIS 4.0 and 5.0 Servers through this vulnerability. NetProwler SU8 is downloaded using the product's auto update feature.

Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by the SARC. Reprinting the whole or part of this Alert in medium other than electronically requires permission from Symantec.
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.
Symantec, Enterprise Security Manager (ESM), NetProwler, and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Last modified on: