| VID |
22083 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
There is a buffer overflow in the IIS web server through the ISAPI filter. This may give remote SYSTEM level access to the web server. .IDA "Code Red" worm exploits this vulnerability and is spreading throughout IIS web servers on the Internet via the .IDA buffer overflow attack.
The vulnerability lies within the code that allows a Web server to interact with Microsoft Indexing Service functionality. The vulnerable Indexing Service ISAPI filter is installed by default on all versions of Microsoft Internet Information Services (IIS) Web server. The problem lies in the fact that the .ida (Indexing Service) ISAPI filter does not perform proper "bounds checking" on user inputted buffers and therefore is susceptible to a buffer overflow attack.
Attackers that leverage the vulnerability can, from a remote location, gain full SYSTEM level access to any server that is running a default installation of Windows NT 4.0, Windows 2000, or Windows XP and using Microsoft IIS Web server software. This is detailed in Microsoft Advisory MS01-033.
Example to test:
GET /a.ida?[A x 240]=x HTTP/1.1
Host: secuiscan
* References:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp |
| Recommendation |
Microsoft has released a patch for this vulnerability that can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
We recommend removing the .ida ISAPI filter from your Web server if they are not required for the operation of your site.
To unmap the .IDA extension:
1. Open Internet Services Manager.
2. Right-click the Web server, and choose Properties from the context menu.
3. Master Properties
4. Select WWW Service | Edit | HomeDirectory | Configuration and remove the reference to .ida from the list. |
| Related URL |
CVE-2001-0500 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
