Signature Detail

HTTP: IIS .idq ISAPI Buffer Overflow

This signature detects attempts to exploit a known vulnerability against Microsoft ISAPI Indexing Service for IIS. Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier versions are vulnerable. Attackers can send a long argument to Internet Data Administration and Internet Data Query files to overflow the buffer in the ISAPI extension and execute arbitrary commands.

Extended Description

Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context. Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running. Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable. **UPDATE**: An aggressive worm that actively exploits this vulnerability is believed to be in the wild.

Affected Products

• Cisco building_broadband_service_manager_(bbsm) 2.5.1
• Cisco building_broadband_service_manager_(bbsm) 3.0.0
• Cisco building_broadband_service_manager_(bbsm) 4.0.1
• Cisco building_broadband_service_manager_(bbsm) 4.2.0
• Cisco building_broadband_service_manager_(bbsm) 4.3.0
• Cisco building_broadband_service_manager_(bbsm) 4.4.0
• Cisco building_broadband_service_manager_(bbsm) 4.5.0
• Cisco building_broadband_service_manager_(bbsm) 5.0.0
• Cisco building_broadband_service_manager_(bbsm) 5.1.0
• Cisco building_broadband_service_manager_(bbsm) 5.2.0
• Cisco call_manager 1.0.0
• Cisco call_manager 2.0.0
• Cisco call_manager 3.0.0
• Cisco call_manager 3.1.0
• Cisco call_manager 3.1.0 (2)
• Cisco call_manager 3.1.0 (3a)
• Cisco call_manager 3.2.0
• Cisco call_manager 3.3.0
• Cisco call_manager 3.3.0 (3)
• Cisco call_manager 4.0.0
• Cisco call_manager
• Cisco collaboration_server
• Cisco dynamic_content_adapter
• Cisco ics_7750
• Cisco ics_firmware 1.0.0
• Cisco ics_firmware 2.0.0
• Cisco ip/vc_3540_application_server
• Cisco media_blender
• Cisco trailhead
• Cisco unity_server 2.0.0
• Cisco unity_server 2.1.0
• Cisco unity_server 2.2.0
• Cisco unity_server 2.3.0
• Cisco unity_server 2.4.0
• Cisco unity_server 2.46.0
• Cisco unity_server 3.0.0
• Cisco unity_server 3.1.0
• Cisco unity_server 3.2.0
• Cisco unity_server 3.3.0
• Cisco unity_server 4.0.0
• Cisco unity_server
• Cisco uone 1.0.0
• Cisco uone 2.0.0
• Cisco uone 3.0.0
• Cisco uone 4.0.0
• Cisco uone_enterprise_edition
• Microsoft indexing_services_for_windows_2000
• Microsoft index_server 2.0

References

• BugTraq: 2880
• CVE: CVE-2001-0500
• URL: http://www.cert.org/advisories/CA-2001-13.html
• URL: https://www.kb.cert.org/vuls/id/952336
• URL: http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx