News

IIS Vulnerability Compromises NT4, W2K Systems

• By Scott Bekker
• 06/19/2001

The new vulnerability affects versions 4.0 and 5.0 of IIS, but also requires the presence of a meta-search facility, known as Index Server 2.0 on Windows NT 4.0 systems and as the Indexing Service on Windows 2000 systems.

Index Server 2.0 can be installed separately on Windows NT 4.0 Server (it ships along with IIS 4.0 and the Windows NT 4.0 Option Pack), while the Indexing Service is configured by default along with IIS 5.0 during Windows 2000 Server/Advanced Server installations.

The vulnerability exists because IIS 4.0 and IIS 5.0 each provide features, enabled by means of the .IDA ASAPI filter, which permit remote users to run queries against Index Server 2.0 or against the Indexing Service running on Windows NT 4.0 or on Windows 2000, respectively.

According to Scott Culp, program manager for Microsoft's Security Response Center, the Index Server 2.0 and the Indexing Service components both contain an unchecked buffer that an attacker could exploit - by means of a classic buffer overflow technique - to run programs on a server.

"The programs would run with the highest possible level of privilege, and this would enable an attacker to completely compromise [a system]," Culp acknowledges.

Microsoft yesterday urged IIS 4.0 and IIS 5.0 customers who were affected by the vulnerability to patch their installations immediately. Culp says that his company also dispatched Technical Account Managers to "personally alert Premier customers to this vulnerability and assist them in installing the patch." Additionally, the software giant distributed an alert to the more than 150,000 subscribers on its security mailing list.

This is the third IIS-related, and second Indexing Service-related, exploit since early May. eEye Digital Security, the Internet security firm that first discovered the vulnerability and which initially brought it to Microsoft's attention, estimates that as many as 50 percent of Windows NT 4.0 and Windows 2000 installations could possibly be affected by this latest bug.

According to Russ Cooper, editor of the Windows NT Bugtraq Mailing List, that number is probably much higher, however.

"I would suspect that the number is much higher than 50 percent, and I'm not sure where eEye got that number, actually," he comments. "To test for whether or not this thing is out there is a difficult process, but it's also something that's installed by default."

Cooper cautions that the latest IIS/Indexing Service exploit can also compromise systems on which Index Server 2.0 or the Indexing Service were initially installed but from which they've subsequently been removed.

"Even if you installed it and said 'I don't need that' and so you disabled the service, you're still vulnerable," he notes, explaining that once it's configured, IIS' IDQ.DLL receives and parses query requests even if the Indexing Service itself has been removed or isn't running.

"And since the vulnerability occurs prior to the actual execution of the query, the result is that you can be exploited even if the service isn't running," he concludes.

In this respect, it's possible that IT organizations which have deployed default first installs of either the Windows NT 4.0 Option Pack, or of Windows 2000 Server/Advanced Server - and which later removed the Index Server 2.0 or Indexing Service components (during a security hardening procedure, for example) - could still be at risk. -- Stephen Swoyer

Recent IIS/Indexing Server Exploits

May 1, 2001 -- eEye Digital Security discovers a buffer overflow vulnerability in IIS 5.0's printer ISAPI filter, a component of Windows 2000's support for the Internet Printing Protocol (IPP). This vulnerability could be exploited to give an attacker complete control over an affected system. Microsoft releases a security patch.

May 10, 2001 -- Microsoft acknowledges the existence of two vulnerabilities in its Index Server 2.0 (for Windows NT 4.0) and Indexing Service (for Windows 2000) components that could enable an attacker to gain complete control over an affected system by means of a buffer overrun technique, or to read hidden files on a Web server by means of a "Malformed Hit-Highlighting" attack. Microsoft releases a security patch.

May 14, 2001 - NSFocus discovers an IIS vulnerability in which an attacker could execute operating system commands on a Web server by means of a superfluous decoding operation. This vulnerability could be exploited to enable an attacker to take down an FTP server or gain access to a "poorly configured" network via FTP. Microsoft releases a security patch, which for the first time includes a consolidation of 22 IIS 4.0 and 16 IIS 5.0 fixes.

June 18, 2001 - eEye Digital Security discovers a buffer overflow vulnerability in IIS 4.0's and IIS 5.0's .IDA ISAPI filter, which works in conjunction with Windows NT 4.0's Index Server 2.0 and Windows 2000's Indexing Service components to provide remote query facilities. This vulnerability could be exploited to give an attacker complete control over an affected system. Microsoft releases a security patch.