2004602 : Microsoft IIS idq.dll ISAPI extension buffer overflow

High RiskHigh Risk

Quick Links

Event description Jump to the top of this document

Microsoft Internet Information Server (IIS) is vulnerable to a buffer overflow in the handling of ISAPI (Internet Services Application Programming Interface) extensions. An unchecked buffer in the code that handles idq.dll ISAPI extensions in the Indexing Service for IIS could allow a remote attacker to overflow a buffer and execute code by sending a specially-crafted Indexing Service request. An attacker could exploit this vulnerability to gain complete control over the affected server.

This vulnerability is exploitable using the "Code Red" and "Code Red II" worm. The "Code Red" worm is a self-propagating worm that scans random IP addresses on port 80 searching for vulnerable Web servers. Once a vulnerable Web server is found, the worm performs malicious activity before propagating to other vulnerable hosts. The "Code Red II" worm does not deface Web sites, as the original version of the worm did, but it carries a more serious threat -- it contains a Trojan Horse payload, which could allow any remote attacker to further compromise infected systems. The "Code Red II" worm also has the ability to scan for vulnerable hosts much faster than previous versions, which has already been reported to cause failures in certain network components by overloading them with network traffic.

Products that have this security check Jump to the top of this document

HTTP_Code_Red_II

This signature detects HTTP GET/POST requests that contain "CodeRedll" and that start at the 124th character of the request argument.


Affected platforms Jump to the top of this document

How to remove this vulnerability Jump to the top of this document

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
IisIsapiIdqBo
MS01-033

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
HTTP_Code_Red
HTTP_Code_Red_II
HTTP_Code_Red_II_Plus
HTTP_IIS_Index_Server_Overflow
HTTP_IIS_Idq_Overflow
HTTP_IIS_Ida_Overflow

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80

For Manual Protection:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS01-044. See References.

For Windows XP beta:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it was superseded by the patch released with MS01-044.

For Windows NT 4.0:
Microsoft originally provided a patch for this vulnerability in MS01-033, MS01-041, and MS02-001, but they have been superseded by the Security Roll-up patch released with MS02-018. See References.

For IIS:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS01-044, MS02-018, and MS02-062, and then superseded by the patch released with MS03-018. See References.

For Windows 2000:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS02-001. See References.

References Jump to the top of this document

Internet Security Systems Security Alert #79
Remote IIS Index Server ISAPI Extension Buffer Overflow
http://www.iss.net/xforce/alerts/id/advise79

Microsoft Security Bulletin MS03-018
Cumulative Patch for Internet Information Service (811114)
http://www.microsoft.com/technet/security/bulletin/ms03-018.mspx

Microsoft Security Bulletin MS02-062
Cumulative Patch for Internet Information Service (Q327696)
http://www.microsoft.com/technet/security/Bulletin/MS02-062.mspx

Microsoft Security Bulletin MS02-018
Cumulative Patch for Internet Information Services (Q319733)
http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx

Microsoft Security Bulletin MS02-001
Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data
http://www.microsoft.com/technet/security/bulletin/ms02-001.mspx

Microsoft Security Bulletin MS01-044
15 August 2001 Cumulative Patch for IIS
http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx

Microsoft Security Bulletin MS01-041
Malformed RPC Request Can Cause Service Failure
http://www.microsoft.com/technet/security/bulletin/ms01-041.mspx

Cisco Security Notice 2004 March 27 19:30 UTC
Exploit for Multiple Cisco Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml

National Infrastructure Protection Center Advisory 01-013
"Buffer Overflow Vulnerability in Microsoft's Internet Information Services (IIS) 4.0 and 5.0"
http://www.nipc.gov/warnings/advisories/2001/01-013.htm

National Infrastructure Protection Center Advisory 01-015
"Ida Code Red Worm "
http://www.nipc.gov/warnings/advisories/2001/01-015.htm

CIAC Information Bulletin L-117
The Code Red Worm
http://www.ciac.org/ciac/bulletins/l-117.shtml

CIAC Information Bulletin L-120
Cisco "Code Red" Worm Impact
http://www.ciac.org/ciac/bulletins/l-120.shtml

CERT Incident Note IN-2001-09
"Code Red II:" Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
http://www.cert.org/incident_notes/IN-2001-09.html

Internet Security Systems Security Alert #90
Resurgence of "Code Red" Worm Derivatives
http://www.iss.net/xforce/alerts/id/advise90

Internet Security Systems Security Alert #89
X-Force Response to Concern About the "Code Red" Worm
http://www.iss.net/xforce/alerts/id/advise89

Cisco System Field Notice July 20, 2001
"Code Red" Worm - Customer Impact
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

CERT Advisory CA-2001-23
Continued Threat of the "Code Red" Worm
http://www.cert.org/advisories/CA-2001-23.html

CERT Advisory CA-2001-19
"Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
http://www.cert.org/advisories/CA-2001-19.html

CIAC Information Bulletin L-098
Microsoft Index Server ISAPI Extension Buffer Overflow
http://www.ciac.org/ciac/bulletins/l-098.shtml

CERT Advisory CA-2001-13
Buffer Overflow In IIS Indexing Service DLL
http://www.cert.org/advisories/CA-2001-13.html

Microsoft Security Bulletin MS01-033
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
http://www.microsoft.com/technet/security/bulletin/ms01-033.mspx

eEye Digital Security Team Alert AD20010618
All versions of Microsoft Internet Information Services Remote buffer overflow (SYSTEM Level Access)
http://www.eeye.com/html/Research/Advisories/AD20010618.html

Common Vulnerabilities and Exposures
Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0500

BugTraq
MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2880

Information about this document Jump to the top of this document

The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.

Copyright © 1997 – 2012 IBM Internet Security Systems. All rights reserved.

This page was created on Fri Feb 10 01:07:13 2012