Microsoft Security Bulletin MS01-025 - Critical
Index Server Search Function Contains Unchecked Buffer
Published: May 10, 2001 | Updated: June 23, 2003
Originally posted: May 10, 2001
Updated: June 23, 2003
Who should read this bulletin:
System administrators using Microsoft® Index Server 2.0 in Windows NT® 4.0 or Indexing Service in Windows® 2000
Impact of vulnerability:
Run code of attacker's choice.
Customers using Index Server 2.0 should apply the patch immediately; customers using Indexing Service should consider applying the patch
- Microsoft Index Server 2.0
- Indexing Service in Microsoft Windows 2000
The patches discussed below address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker's choice could be made to run on the server, in the Local System security context.
The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006. The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.
- Index Server 2.0 buffer overrun:
- In order to exploit the vulnerability, the attacker would need the ability to authenticate to the server and to create a named pipe connection to it (which requires access to NetBIOS, which should be blocked at the firewall). As a result, it is likely that this vulnerability could, in a properly configured network, only be exploited by an intranet user.
- The vulnerability only affects Index Server 2.0. Indexing Services in Windows 2000 is not affected by it.
- Index Server 2.0 is not provided as part of Windows NT 4.0; instead, it is part of the Windows NT 4.0 Option Pack. It installs by default as part of that package, but does not run by default.
- New Variant of "Malformed Hit-Highlighting" vulnerability:
- The vulnerability would only allow files to be read. They could not be added, changed or deleted via this vulnerability.
- Server-side "include" files should not contain sensitive data. If this recommendation has been followed, there would be no sensitive data to compromise via this vulnerability.
- The vulnerability would only allow files residing on the web server - and in the same logical drive as the server's root directory - to be read. It would not allow files elsewhere on the server, or files residing on a remote server, to be read.
- Index Server 2.0 buffer overrun: CAN-2001-0244
- New variant of "Malformed Hit-Highlighting" vulnerability: CAN-2001-0245
Microsoft tested Index Server 2.0 and Indexing Service in Windows 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
What vulnerabilities are discussed in this bulletin?
This bulletin discusses two vulnerabilities that are unrelated, except by the fact that both affect Index Server. The vulnerabilities are:
- A vulnerability affecting only Index Server 2.0, that could allow an attacker to run code on the index server.
- A new variant of a previously discussed vulnerability affecting both Index Server 2.0 and Indexing Service in Windows 2000.
What are Index Server and Indexing Service?
Index Server 2.0 is a full-text indexing and search engine that was shipped as part of the Windows NT 4.0 Option Pack. In Windows 2000, this capability was provided as a native service, known as Indexing Service. Both Index Server 2.0 and Indexing Service provide the ability to make data on a web site or server searchable. This enables users to use a web browser to search for documents based on keywords, phrases or properties.
What's the scope of the first vulnerability?
The first vulnerability is a buffer overrun vulnerability affecting Index Server 2.0. By providing a specially malformed parameter in a search request, an attacker could cause either of two effects. In the simpler case, she could cause Index Server 2.0 to fail. In the more complex case, she could cause code of her choice to execute on the server. This code would run with system privileges, and could therefore take any desired action on the server. Because of the specific circumstances under which the vulnerability occurs, the attacker would need to already have some privileges on the machine. In addition, proper firewalling would serve to prevent an Internet user from exploiting the vulnerability. Finally, it's important to note that only Index Server 2.0 is affected - Indexing Service is not.
What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in a section of code that processes search requests. By providing a specially malformed search parameter, an attacker could overrun the buffer.
What would this enable an attacker to do?
As is usually the case in buffer overrun vulnerabilities, an attacker could exploit the vulnerability in either of two ways. If she supplied a sufficiently large quantity of random data in the affected parameter, it would cause the service to fail. This would not cause any other services to fail, nor would it cause the server itself to fail. Nevertheless, other users would be unable to perform searches until the administrator restarted Index Server. On the other hand, if she supplied carefully selected data as the parameter, it would be possible for the attacker to, in essence, modify the Index Server code as it was running. This would allow her to introduce new functionality if she wished. Because Index Server runs in the Local System context, the attacker's code would have sufficient privileges to perform any desired action, such as altering web content or reformatting the hard drive.
Would the latter attack allow the attacker to take over a network?
Although the vulnerability would enable the user to gain complete control over the server, it would not give her any elevated privileges on the network. By default, Index Server runs in the security context of a local, not domain, account. Of course, it would be possible for a domain administrator to reconfigure Index Server to run in a domain security context, but this is extremely bad practice.
Could an attacker exploit this vulnerability from the Internet?
In most cases, this vulnerability could only be exploited by a network insider. To levy the search request, the attacker would need a valid user account on the server. In addition, she would need the ability to create a named pipe connection to the server, which requires access to the NetBIOS ports on the server. However, NetBIOS should always be blocked at the firewall.
Is Index Server 2.0 installed on Windows NT 4.0 systems by default?
Index Server 2.0 isn't provided as part of Windows NT 4.0; instead, it comes as part of the Windows NT 4.0 Option Pack. If installed as part of the Option Pack, it does run by default.
Does this vulnerability affect Windows 2000 systems?
No. Indexing Service in Windows 2000 does not contain the unchecked buffer, and is not affected by the vulnerability.
What does the patch do?
The patch eliminates the vulnerability by ensuring that Index Server 2.0 properly checks the length of all search parameters before using them.
What's the scope of the second vulnerability?
The second vulnerability is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006. It could allow a malicious user to view - but not add, change or delete - files that reside on a web server. The vulnerability only affects files that reside on the web server itself, and only on the same logical drive as the server's root directory. Files residing on a remote server at a web site - for instance, files on a remote database server - would not be at risk from this vulnerability.
How is the new variant different than the original vulnerability?
The new variant is, for all practical purposes, exactly the same as the original one, except in the specific type of files it would enable an attacker to read. The new variant could enable "include" files to be read, even after applying the original patch.
What's an "include" file?
"include" files are ones that contain information that will be incorporated into a program file when it executes. Typically, these files contain parameters or commonly used code. However, they should never contain sensitive information like passwords. If this recommendation has been followed, even an attacker who could read the files would gain nothing from them.
Does this vulnerability affect both Index Server 2.0 and Indexing Service?
What does the patch do?
The patch extends the protection offered by the original patch, to also prevent the new variant from succeeding.
If I apply this patch, do I need to apply the original patch?
No. This patch completely supersedes the one provided in Microsoft Security Bulletin MS00-006.
Download locations for this patch
Index Server 2.0:
Index Server buffer overrun:
New variant of "Malformed Hit-Highlighting" vulnerability:
Indexing Service in Windows 2000 Professional, Server and Advanced Server:
Indexing Service in Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer
Additional information about this patch
- The patch for Index Server 2.0 can be installed on systems running Windows NT 4.0 Service Pack 6a, and on which the Windows NT 4.0 Option Pack has been installed.
- The patch for Indexing Service can be installed on systems running Windows 2000 Gold, Service Pack 1, or the forthcoming Service Pack 2.
Inclusion in future service packs:
- The Index Server 2.0 fix will be included in Windows NT 4.0 Service Pack 7.
- The Indexing Service fix will be included in Windows 2000 Service Pack 3.
This patch supersedes the one provided in Microsoft Security Bulletin MS00-006.
Verifying patch installation:
Index Server 2.0:
To verify that the patch for the buffer overrun has been installed on the machine, confirm that the following registry key has been created on the machine:
To verify the individual files in the buffer overrun patch, consult the file manifest in Knowledge Base article Q294472.
To verify that the patch for the new variant of the "Malformed Hit-Highlighting" vulnerability has been installed on the machine, confirm that the following registry key has been created on the machine:
To verify the individual files in the patch for the new variant of the "Malformed Hit-Highlighting" vulnerability, consult the file manifest in Knowledge Base article Q296185.
Indexing Service in Windows 2000:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q296185.
- To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q296185\Filelist
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches are also available from the WindowsUpdate web site
Microsoft thanks the following people for working with us to protect customers:
- David Litchfield of @Stake (http://www.atstake.com) for reporting the Index Server 2.0 buffer overrun to us.
- Mike Mullins (http://www.gap.com) for reporting the new variant of the "Malformed Hit-Highlighting" vulnerability to us.
- Microsoft Knowledge Base articles Q296185 and Q294472 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 May 10, 2001: Bulletin Created.
- V1.1 June 23, 2003: Updated Windows Update download links.
Built at 2014-04-18T13:49:36Z-07:00