Microsoft

Lock IT Down: Microsoft reveals another vulnerability in IIS

A serious vulnerability in Microsoft Internet Information Services server is explained


Microsoft Index Server 2.0 and Indexing Service contain a serious security flaw in one of the ISAPI .dll extensions installed by default with numerous versions of Internet Information Server. Specifically, Idq.dll (Internet Data Queries) has an unchecked buffer that could potentially allow an attacker to take complete control over the Web server, alter Web page content, reconfigure the server, or install software.

Level of risk
Microsoft classifies this as a serious problem. It’s a significant vulnerability because IIS installs the target DLLs as part of the default configuration even if you don’t need them. And because the buffer overrun takes place before any actual requests of the Idq.dll component are made, the Index Server/Indexing Service doesn’t even need to be activated and running for the attack to take place. The buffer overrun also occurs before Idq.dll performs its usual credential check.

Since a successful attack would allow the intruder to perform virtually any action on the server, repairing this fault should be a high priority for administrators.

Applicability
Organizations running Web servers on Windows NT Server 4.0 (with the Option Pack installed) or Windows 2000 Server/Advanced Server/Datacenter are all at risk. The Windows XP beta is also vulnerable. As mentioned above, the affected piece of software is Index Server 2.0 and Indexing Service. (This is essentially the same program, but the Index Server was renamed the Indexing Service in Windows 2000.) Index Server and Indexing Service are the full text searching and indexing engines used by IIS to provide search capabilities for Web sites.

With Windows 2000 Server, IIS and Indexing Service are installed by default during the installation process. Index Server did not ship with the standard version of NT 4.0, so unless you have installed the Option Pack, there is no danger. Windows 2000 Professional users aren’t affected unless they have specifically chosen to install IIS 5.0.

The Index Server or Indexing Service need not be running to make the system vulnerable. As long as IIS is installed and running, the system is vulnerable. If you don’t have IIS running, the system isn’t vulnerable even if the Index Server or Indexing Service files are installed.

However, as Microsoft states, “If the script mappings for .ida and .idq files aren’t present, the vulnerability cannot be exploited. The IIS 4.0 and IIS 5.0 Security Checklists provide instructions for doing this [removing the files]. In addition, the High Security Template provided in the IIS 5.0 Security Checklist will remove the mapping. Likewise, the Windows 2000 Internet Server Security Tool will remove the mapping unless you explicitly request that it be retained.”

The situation is further complicated by the fact that the mapping could have been removed but will be reinstated if you run the Add/Remove Programs applet from the Control Panel.

Obviously this is a complex situation and one that can change over the life of the server as configurations are changed, so you need to pay attention to this. To really be safe, you need to apply the patch even if you have removed script mappings for the applicable files.

Fix
The available patches install correct input checking in ISAPI.

Affected NT 4.0 installations can get a patch at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

Windows 2000 Server, Advanced Server, and those Pro users with IIS 5.0 installed can obtain a different patch at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Windows 2000 Datacenter patches are hardware-specific and should be obtained from the OEM.

Windows XP Beta 1 and Beta 2 have this vulnerability, and no patches will be replaced. It will simply be updated when Microsoft releases Beta 3. Clearly, no one should be using Windows XP betas in a production environment, so this should not be a problem, but administrators still need to be aware of it.

As a temporary workaround, you can also uninstall the .ida and .idq script mappings, which are rarely used. But this is only a temporary fix because, as we explained earlier, they can be reinstalled in some circumstances and thus make the server vulnerable again.

Contrary to some initial indications, former IIS patches MS01-025 and MS01-026 are not superceded by this patch or bulletin MS01-033.

Background
Internet Services Application Programming Interface (ISAPI) allows developers to add features to an IIS server. The ISAPI extensions are dynamic link libraries (.dll files) that contain additional functionality beyond the basic tools in IIS.

Access to these features is normally made by calling up files on the server. The files contain the commands that perform the operations. IIS sends the user requests to the correct ISAPI extension for parsing based on a table of script mappings that link the files with each ISAPI extension installed on the server.

The particular vulnerability addressed in this bulletin is the Idq.dll, which provides two functions. First, it offers support for the Internet Data Administration (.ida) files or scripts used to manage the indexing service. This is rarely used because the Microsoft Management Console is preferred.

The second function provided by Idq.dll is to process Internet Data Query (.idq) files, which are used to perform custom searches.

The problem addressed by MS01-033 is an unchecked buffer. Random data would cause an IIS 4.0 or IIS 5.0 server to crash. IIS 4.0 would have to be restarted by the administrator, but IIS 5.0 should recover automatically.

The first scenario would be annoying, while the second scenario might go unnoticed. The real danger is that specific code combined with a special data stream would cause malicious code to be run on the server.

How do you keep up with IIS patches?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.

 

Editor's Picks