Another Vulnerability Discovered in IIS

eEye Digital Security has uncovered another vulnerability in Microsoft's popular Web server software in which a buffer overflow attack could expose Microsoft Indexing Service.

by Thor Olavsrud of internetnews.com [June 20, 2001]

eEye Digital Security Tuesday revealed that it had uncovered a buffer overflow vulnerability in all versions of Microsoft Corp.'s Internet Information Services (IIS) Web server software that allows remote system level code execution.

Upon discovering the vulnerability, eEye immediately notified Microsoft's security team and worked with the company to develop a patch.

The vulnerability exists in the code that allows an IIS Web server to interact with Microsoft Indexing Service functionality. The .ida (Indexing Service) ISAPI filter—installed by default on all versions of IIS—does not perform proper "bounds checking" on user inputted buffers, which makes it susceptible to buffer overflow attacks.

Using such a buffer overflow attack, a malicious hacker could remotely gain full system access to any server running a default installation of Windows NT 4.0, Windows 2000 or Windows XP and using the IIS software. The attacker would then have the run of that server, with the ability to perform any desired action, including installing and running programs, manipulating Web server databases, adding, changing or deleting files and Web pages, etc.

"According to Netcraft, there are roughly 5.9 million Web servers running IIS," eEye said. "It is safe to say that because the vulnerability is within a default IIS component that, at the very least, 50 percent of these servers have the .ida extension running, making this one of, if not the single largest vulnerability in IIS to date."

Microsoft is working to patch Windows XP against the vulnerability before the final version ships to customers.

—End