TW-CA-2001-084-[CA-2001-13 Buffer Overflow In IIS Indexing Service DLL] - - - - - - ------------------------------------------------------------ TWCERT發布日期: 2001/06/21 原漏洞發布日期 : 2001/06/19 分類 : CERT/CC 來源參考 : CERT Advisory (CA-2001-13) ------ 影響系統 -------------------------------------------------------- 使用IIS 4.0或是IIS 5.0的Microsoft Windows NT 4.0 Microsoft Windows 2000(Professional, Server, Advanced Server, Datacenter Server) Microsoft Windows XP beta ------ 簡述 ------------------------------------------------------------ Windows NT, Windows 2000, 以及Windows XP beta版本中的Microsoft IIS 4.0 以及5.0上的Indexing Services存在著一漏洞，這個漏洞允許遠端的攻擊者在被攻 擊者的電腦上執行任意程式。關於如何利用這個漏洞來進行攻擊的技術文章已經在 網路上被廣為流傳，系統管理者應該立刻針對有漏洞的系統進行修正的動作。 ------ 說明 ------------------------------------------------------------ 現在已經有一個可以遠端針對IIS 4.0以及5.0中所安裝的ISAPI進行緩衝溢位攻擊 的攻擊程式，針對這個漏洞的入侵攻擊程式可以在被認為安全的區域系統執行任意 的程式，進而讓攻擊者可以在被攻擊者的電腦上取得完整的控制權。 這個漏洞是由eEye Digital Security所發現的，微軟也在他們的安全通報提及了此 一漏洞的相關資訊： http://www.microsoft.com/technet/security/bulletin/MS01-033.asp. 受到影響的Windows系統包括有Windows NT 4.0(安裝IIS 4.0以及Index Server 2.0)， Windows 2000(安裝IIS 5.0的Server以及Professional版本)，以及Windows 2000 Datacenter Server OEM版本；然而在預設狀況下，並不是所有以上的系統都是有漏洞 的，在預設值的狀況下Windows XP beta版是有此一漏洞的。要能夠發動此一漏洞攻擊 程式的唯一先決條件是IIS伺服器執行Internet Data Administration (.ida)以及 Internet Data Query (.idq)檔案程式，而這些程式卻是Indexing伺服器並不需要去 執行的程式。 節錄微軟MS01-033： 在任何indexing功能被執行之前緩衝區溢位就已經發生。 雖然idq.dll是Index Server/Indexing Service中的元件，但是Index伺服器卻不需 要執行這個可以被利用來進行攻擊的元件，只要有.idq或是.ida檔案的 script mapping，攻擊者就可以建立一個web session，進而針對漏洞進行攻擊。這個 漏洞已經被Common Vulnerabilities and Exposures(CVE)給予一個漏洞編號 CAN-2001-0500: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500 ----- 修正方式 -------------------------------------------------------- -- 安裝修正檔 可以在以下微軟網址取得修正檔 Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 Windows 2000 Professional, Server, and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 這些修正檔可以取代先前在微軟安全通報MS01-025以及MS00-006中所提供的檔案。 使用Windows 2000 Datacenter Server的使用者必須向他們的OEM廠商要求修正檔。 以下提供了OEM廠商的列表以供查詢: http://www.microsoft.com/windows2000/datacenter/howtobuy/purchasing/oems.asp -- 替代方案 使用Windows XP beta版本的使用者盡可能的在新版XP公佈的時候進行系統更新。 所有受漏洞影響的IIS/Indexing伺服器可以使用移除 Internet Data Administration (.ida) 以及Internet Data Query (.idq) script mapping來確保不會被攻擊程式入侵， 然而這些mapping也有可能會在您安裝其他的軟體元件的時候被重新安裝。 注意： 此問題其他的相關參考資訊請連結以下列示相關網站及詳見文後所附原文。 ----- 連絡 TW-CERT ---------------------------------------------------- 電話 : 886-7-5250211 傳真 : 886-7-5250212 Email : twcert@cert.org.tw URL : http://www.cert.org.tw/ PGP key : http://www.cert.org.tw/eng/pgp.htm ----- 附件 ------------------------------------------------------------ 附件：[CA-2001-13 Buffer Overflow In IIS Indexing Service DLL] CERTR Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL Original release date: June 19, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected - -Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled - -Systems running Microsoft Windows 2000 (Professional, Server, Advanced Server,Datacenter Server) - -Systems running beta versions of Microsoft Windows XP Overview A vulnerability exists in the Indexing Services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. This vulnerability allows a remote intruder to run arbitrary code on the victim machine. Since specific technical details on how to create an exploit are publicly available for \ this vulnerability, system administrators should apply fixes or workarounds on affected systems as soon as possible. I. Description There is a remotely exploitable buffer overflow in one of the ISAPI extensions installed with most versions of IIS 4.0 and 5.0 (The specific Internet/Indexing Service Application Programming Interface extension is IDQ.DLL). An intruder exploiting this vulnerability may be able to execute arbitrary code in the Local System security context. This essentially can give the attacker complete control of the victim system. This vulnerability was discovered by eEye Digital Security. Microsoft has released the following bulletin regarding this issue: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Affected versions of Windows include Windows NT 4.0 (installed with IIS 4.0 and Index Server 2.0),Windows 2000 (Server and Professional with IIS 5.0 installed), and Windows 2000 Datacenter Server OEM distributions; however, not all of these instances are vulnerable by default. The beta versions of Windows XP are vulnerable by default. The only precondition for exploiting this vulnerability is that an IIS server is running with script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files. The Indexing Services do not need to be running. As stated by Microsoft in MS01-033: The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability. This vulnerability has been assigned the identifier CAN-2001-0500 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500 II. Impact Anyone who can reach a vulnerable web server can execute arbitrary code in the Local System security context. This results in the intruder gaining complete control of the system. Note that this may be significantly more serious than a simple "web defacement." III. Solution Apply a patch from your vendor Apply patches for vulnerable Windows NT 4.0 and Windows 2000 systems: For Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 For Windows 2000 Professional, Server, and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 These patches supersede the ones previously provided in Microsoft Security Bulletins MS01-025 and MS00-006. Users of Windows 2000 Datacenter Server software should contact their original equipment manufacturer (OEM) for patches. A list of OEM providers may be found here: http://www.microsoft.com/windows2000/datacenter/howtobuy/purchasing/oems.asp Workarounds Users of beta copies of Windows XP should upgrade to a newer version of the software when it becomes available. All affected versions of IIS/Indexing Services can be protected against exploits of this vulnerability by removing script mappings for for Internet Data Administration (.ida) and Internet Data Query (.idq) files. However, such mappings may be recreated when installing other related software components. Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp http://www.microsoft.com/technet/support/kb.asp?ID=Q300972 References VU#952336: Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters CERT/CC, 06/19/2001,https://www.kb.cert.org/vuls/id/952336 Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Feedback concerning this document may be directed to Jeffrey S. Havrilla. - --------------------------------------------------------------------- This document is available from:http://www.cert.org/advisories/CA-2001-13.html - --------------------------------------------------------------------- -- ┌┌┌┌ Origin: 小魚的紫色花園 <fpg.twbbs.org> 140.112.200.214 ───┐┐┐┐ 標題: Code Red 病毒 (欣蔚必看) 時間: Fri Aug 3 01:58:44 2001 TW-CA-2001-084-[CA-2001-13 Buffer Overflow In IIS Indexing Service DLL] - - - - - - ------------------------------------------------------------ TWCERT發布日期: 2001/06/21 原漏洞發布日期 : 2001/06/19 分類 : CERT/CC 來源參考 : CERT Advisory (CA-2001-13) ------ 影響系統 -------------------------------------------------------- 使用IIS 4.0或是IIS 5.0的Microsoft Windows NT 4.0 Microsoft Windows 2000(Professional, Server, Advanced Server, Datacenter Server) Microsoft Windows XP beta ------ 簡述 ------------------------------------------------------------ Windows NT, Windows 2000, 以及Windows XP beta版本中的Microsoft IIS 4.0 以及5.0上的Indexing Services存在著一漏洞，這個漏洞允許遠端的攻擊者在被攻 擊者的電腦上執行任意程式。關於如何利用這個漏洞來進行攻擊的技術文章已經在 網路上被廣為流傳，系統管理者應該立刻針對有漏洞的系統進行修正的動作。 ------ 說明 ------------------------------------------------------------ 現在已經有一個可以遠端針對IIS 4.0以及5.0中所安裝的ISAPI進行緩衝溢位攻擊 的攻擊程式，針對這個漏洞的入侵攻擊程式可以在被認為安全的區域系統執行任意 的程式，進而讓攻擊者可以在被攻擊者的電腦上取得完整的控制權。 這個漏洞是由eEye Digital Security所發現的，微軟也在他們的安全通報提及了此 一漏洞的相關資訊： http://www.microsoft.com/technet/security/bulletin/MS01-033.asp. 受到影響的Windows系統包括有Windows NT 4.0(安裝IIS 4.0以及Index Server 2.0)， Windows 2000(安裝IIS 5.0的Server以及Professional版本)，以及Windows 2000 Datacenter Server OEM版本；然而在預設狀況下，並不是所有以上的系統都是有漏洞 的，在預設值的狀況下Windows XP beta版是有此一漏洞的。要能夠發動此一漏洞攻擊 程式的唯一先決條件是IIS伺服器執行Internet Data Administration (.ida)以及 Internet Data Query (.idq)檔案程式，而這些程式卻是Indexing伺服器並不需要去 執行的程式。 節錄微軟MS01-033： 在任何indexing功能被執行之前緩衝區溢位就已經發生。 雖然idq.dll是Index Server/Indexing Service中的元件，但是Index伺服器卻不需 要執行這個可以被利用來進行攻擊的元件，只要有.idq或是.ida檔案的 script mapping，攻擊者就可以建立一個web session，進而針對漏洞進行攻擊。這個 漏洞已經被Common Vulnerabilities and Exposures(CVE)給予一個漏洞編號 CAN-2001-0500: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500 ----- 修正方式 -------------------------------------------------------- -- 安裝修正檔 可以在以下微軟網址取得修正檔 Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 Windows 2000 Professional, Server, and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 這些修正檔可以取代先前在微軟安全通報MS01-025以及MS00-006中所提供的檔案。 使用Windows 2000 Datacenter Server的使用者必須向他們的OEM廠商要求修正檔。 以下提供了OEM廠商的列表以供查詢: http://www.microsoft.com/windows2000/datacenter/howtobuy/purchasing/oems.asp -- 替代方案 使用Windows XP beta版本的使用者盡可能的在新版XP公佈的時候進行系統更新。 所有受漏洞影響的IIS/Indexing伺服器可以使用移除 Internet Data Administration (.ida) 以及Internet Data Query (.idq) script mapping來確保不會被攻擊程式入侵， 然而這些mapping也有可能會在您安裝其他的軟體元件的時候被重新安裝。 注意： 此問題其他的相關參考資訊請連結以下列示相關網站及詳見文後所附原文。 ----- 連絡 TW-CERT ---------------------------------------------------- 電話 : 886-7-5250211 傳真 : 886-7-5250212 Email : twcert@cert.org.tw URL : http://www.cert.org.tw/ PGP key : http://www.cert.org.tw/eng/pgp.htm ----- 附件 ------------------------------------------------------------ 附件：[CA-2001-13 Buffer Overflow In IIS Indexing Service DLL] CERTR Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL Original release date: June 19, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected - -Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled - -Systems running Microsoft Windows 2000 (Professional, Server, Advanced Server,Datacenter Server) - -Systems running beta versions of Microsoft Windows XP Overview A vulnerability exists in the Indexing Services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. This vulnerability allows a remote intruder to run arbitrary code on the victim machine. Since specific technical details on how to create an exploit are publicly available for \ this vulnerability, system administrators should apply fixes or workarounds on affected systems as soon as possible. I. Description There is a remotely exploitable buffer overflow in one of the ISAPI extensions installed with most versions of IIS 4.0 and 5.0 (The specific Internet/Indexing Service Application Programming Interface extension is IDQ.DLL). An intruder exploiting this vulnerability may be able to execute arbitrary code in the Local System security context. This essentially can give the attacker complete control of the victim system. This vulnerability was discovered by eEye Digital Security. Microsoft has released the following bulletin regarding this issue: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Affected versions of Windows include Windows NT 4.0 (installed with IIS 4.0 and Index Server 2.0),Windows 2000 (Server and Professional with IIS 5.0 installed), and Windows 2000 Datacenter Server OEM distributions; however, not all of these instances are vulnerable by default. The beta versions of Windows XP are vulnerable by default. The only precondition for exploiting this vulnerability is that an IIS server is running with script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq) files. The Indexing Services do not need to be running. As stated by Microsoft in MS01-033: The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability. This vulnerability has been assigned the identifier CAN-2001-0500 by the Common Vulnerabilities and Exposures (CVE) group: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500 II. Impact Anyone who can reach a vulnerable web server can execute arbitrary code in the Local System security context. This results in the intruder gaining complete control of the system. Note that this may be significantly more serious than a simple "web defacement." III. Solution Apply a patch from your vendor Apply patches for vulnerable Windows NT 4.0 and Windows 2000 systems: For Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 For Windows 2000 Professional, Server, and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 These patches supersede the ones previously provided in Microsoft Security Bulletins MS01-025 and MS00-006. Users of Windows 2000 Datacenter Server software should contact their original equipment manufacturer (OEM) for patches. A list of OEM providers may be found here: http://www.microsoft.com/windows2000/datacenter/howtobuy/purchasing/oems.asp Workarounds Users of beta copies of Windows XP should upgrade to a newer version of the software when it becomes available. All affected versions of IIS/Indexing Services can be protected against exploits of this vulnerability by removing script mappings for for Internet Data Administration (.ida) and Internet Data Query (.idq) files. However, such mappings may be recreated when installing other related software components. Appendix A. Vendor Information Microsoft Corporation The following documents regarding this vulnerability are available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp http://www.microsoft.com/technet/support/kb.asp?ID=Q300972 References VU#952336: Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters CERT/CC, 06/19/2001,https://www.kb.cert.org/vuls/id/952336 Additional advice on securing IIS web servers is available from http://www.microsoft.com/technet/security/iis5chk.asp http://www.microsoft.com/technet/security/tools.asp Feedback concerning this document may be directed to Jeffrey S. Havrilla. - --------------------------------------------------------------------- This document is available from:http://www.cert.org/advisories/CA-2001-13.html - --------------------------------------------------------------------- -- ┌┌┌┌ Origin: 小魚的紫色花園 <fpg.twbbs.org> 140.112.200.214 ───┐┐┐┐