[NT] Vulnerability in the Indexing Service Allows Remote Code Execution (MS05-003)

From: SecuriTeam (support_at_securiteam.com)
Date: 01/12/05

  • Next message: SecuriTeam: "[NT] Windows ANI File Parsing Buffer Overflow (MS05-002)"
    To: list@securiteam.com
    Date: 12 Jan 2005 11:40:29 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in the Indexing Service Allows Remote Code Execution
    (MS05-003)
    ------------------------------------------------------------------------

    SUMMARY

    A remote code execution vulnerability exists in the Indexing Service
    because of the way that it handles query validation. An attacker could
    exploit the vulnerability by constructing a malicious query that could
    potentially allow remote code execution on an affected system. An attacker
    who successfully exploited this vulnerability could take complete control
    of an affected system. While remote code execution is possible, an attack
    would most likely result in a denial of service condition.

    DETAILS

    Affected Software:
     * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
    Service Pack 4
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=CFA4F3DA-0C2B-44B3-83DB-EB4D8C5B3B13> Download the update
     * Microsoft Windows XP Service Pack 1
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=FB8A7622-94AB-44E7-85C3-163BAC4602E2> Download the update
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=30A83F1D-87E9-4720-8316-191AE509F094> Download the update
     * Microsoft Windows XP 64-Bit Edition Version 2003
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=C3474E75-1FE2-4215-8A8D-A9244FF93419> Download the update
     * Microsoft Windows Server 2003
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=50F72DC5-5DD6-4D12-A91C-6815EC8203EF> Download the update
     * Microsoft Windows Server 2003 64-Bit Edition
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=C3474E75-1FE2-4215-8A8D-A9244FF93419> Download the update

    Non-Affected Software:
     * Microsoft Windows NT Server 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
     * Microsoft Windows XP Service Pack 2
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME)

    Affected Components:
     * Indexing Service

    CVE Information:
    Indexing Service Vulnerability -
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0897>
    CAN-2004-0897

    Mitigating Factors:
     * The Indexing Service is not enabled by default on the affected systems.
     * Even when the Indexing Service is installed, by default it is not
    accessible from Internet Information Services (IIS). Manual steps are
    required to enable (IIS) to become a Web-based interface for the Indexing
    Service. By default the Indexing Service is used only to perform local and
    remote file system queries. Web-based query pages must be created or
    installed manually that will allow IIS to receive queries from anonymous
    users and pass those queries to the Indexing Service.
     * Only users with permissions to access the manually created or installed
    queries pages would be able to attempt to exploit this vulnerability
    through IIS. If these Web-based query pages require authenticated access,
    anonymous users would not be able to exploit this vulnerable through IIS.
     * If none of the Web-based query methods have been manually enabled, only
    authenticated users would be able to attempt to exploit this vulnerability
    through remote file system queries.
     * Windows 2000 is not affected by this vulnerability. However the
    additional security-related change does affect Windows 2000 and we
    recommend customers install this update.
     * Firewall best practices and standard default firewall configurations
    can help protect networks from attacks that originate outside the
    enterprise perimeter. Best practices recommend that systems that are
    connected to the Internet have a minimal number of ports exposed.

    Workarounds:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    below.

    Block the following at the firewall:
    UDP ports 137 and 138 and TCP ports 139 and 445

    These ports could be used to initiate a connection with the Indexing
    Service to perform file system based queries. Blocking them at the
    firewall will help prevent systems that are behind that firewall from
    attempts to exploit this vulnerability through these ports. We recommend
    that you block all unsolicited inbound communication from the Internet to
    help prevent attacks that may use other ports.
    Use a personal firewall such as the Internet Connection Firewall, which is
    included with Windows XP and Windows Server 2003.

    If you use the Internet Connection Firewall feature in Windows XP or in
    Windows Server 2003 to help protect your Internet connection, it blocks
    unsolicited inbound traffic by default. We recommend that you block all
    unsolicited inbound communication from the Internet.

    To enable the Internet Connection Firewall feature by using the Network
    Setup Wizard, follow these steps:
    1.Click Start, and then click Control Panel.
    2.In the default Category View, click Network and Internet Connections,
    and then click Setup or change your home or small office network. The
    Internet Connection Firewall feature is enabled when you select a
    configuration in the Network Setup Wizard that indicates that your system
    is connected directly to the Internet.
    To configure Internet Connection Firewall manually for a connection,
    follow these steps:
    1.Click Start, and then click Control Panel.
    2.In the default Category View, click Networking and Internet Connections,
    and then click Network Connections.
    3.Right-click the connection on which you want to enable Internet
    Connection Firewall, and then click Properties.
    4.Click the Advanced tab.
    5.Click to select the Protect my computer or network by limiting or
    preventing access to this computer from the Internet check box, and then
    click OK.
    Note If you want to enable the use of some programs and services through
    the firewall, click Settings on the Advanced tab, and then select the
    programs, protocols, and services that are required.

    Enable advanced TCP/IP filtering on systems that support this feature.
    You can enable advanced TCP/IP filtering to block all unsolicited inbound
    traffic. For more information about how to configure TCP/IP filtering, see
     <http://support.microsoft.com/kb/309798> Microsoft Knowledge Base Article
    309798.

    Block the affected ports by using IPSec on the affected systems.
    Use Internet Protocol security (IPSec) to help protect network
    communications. Detailed information about IPSec and how to apply filters
    is available in <http://support.microsoft.com/kb/313190> Microsoft
    Knowledge Base Article 313190 and
    <http://support.microsoft.com/kb/813878> Microsoft Knowledge Base Article
    813878.

    Remove the Indexing Service if you do not need it:
    If the Indexing Service is no longer needed, you could remove it by
    following this procedure.
    To configure components and services:
    1.In Control Panel, open Add or Remove Programs.
    2.Click Add/Remove Windows Components.
    3.Click to clear the Indexing Service check box to remove the Indexing
    Service.
    4.Complete the Windows Components Wizard by following the instructions on
    the screen.

    You could modify any web pages that use the Index Service to block queries
    longer than 60 characters. <http://support.microsoft.com/kb/890621>
    Microsoft Knowledge Base Article 890621 provides more information on how
    to perform these steps.

    Frequently Asked Questions:
    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. An attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system. An attacker could then install programs; view, change,
    or delete data; or create new accounts with full privileges. While remote
    code execution is possible, an attack would most likely result in a denial
    of service condition. There are also significant mitigating factors that
    exist that helps reduce the severity of this vulnerability. For more
    information see the Mitigating Factors section of the security bulletin.

    What causes the vulnerability?
    An unchecked buffer in the Indexing Service.

    What is Indexing Service?
    The Indexing Service is a base service for the affected operating systems.
    Formerly known as Index Server, its original function was to index the
    content of Internet Information Services (IIS) Web servers. Indexing
    Service now creates indexed catalogs for the contents and properties of
    both file systems and virtual Webs.

    The Indexing Service is available to applications and scripts for
    providing an efficient means of managing, querying, and indexing
    information in file systems or Web servers. Indexing Service also provides
    query mechanisms for efficiently accessing the information in the
    catalogs. The indexed information results from filtering the file systems
    and the Web servers using Microsoft-supplied filters and, optionally,
    custom-supplied filters.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of the affected system.

    Who could exploit the vulnerability?
    On systems where administrators have manually performed multiple steps and
    have enabled an anonymous Web-based query interface through Internet
    Information Services (IIS) to the Indexing Service, any anonymous user who
    could deliver a specially crafted message to the affected system could
    attempt to exploit this vulnerability. By default, the Indexing Service
    does not enable the Web-based query interface. However, the Indexing
    Service does listen on the local network interface for communication
    requests by default. Any authenticated user could attempt to exploit this
    vulnerable by sending a specially-crafted network packet to the Indexing
    Service. This vulnerability could also be used locally by an authenticated
    user to attempt a local elevation of privilege attack.

    What systems are primarily at risk from the vulnerability?
    Systems that have the Indexing Service enabled are primarily at risk from
    this vulnerability from local or network based attacks. Systems that have
    the Indexing Service accessible through IIS are at risk from this
    vulnerability from Internet based attacks. If the Indexing Service is not
    enabled the system would not be vulnerable to this issue. None of the
    affected systems enable the Indexing Service by default.

    Could the vulnerability be exploited over the Internet?
    Yes. An attacker could attempt to exploit this vulnerability over the
    Internet. Firewall best practices and standard default firewall
    configurations can help protect against attacks that originate from the
    Internet. Microsoft has provided information on how you can help protect
    your PC. End users can visit the Protect Your PC Web site. IT
    Professionals can visit the Security Guidance Center Web site.

    What does the update do?
    The update removes the vulnerability by modifying the way that Indexing
    Service validates the length of a message before it passes the message to
    the allocated buffer.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly disclosed when this security bulletin was
    originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS05-003.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS05-003.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Windows ANI File Parsing Buffer Overflow (MS05-002)"

    Relevant Pages

    • [NT] Vulnerability in Microsoft Agent Allows Code Execution (MS07-051)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Microsoft Agent in the way ... Internet Explorer by setting the kill bit for the control in the registry. ...
      (Securiteam)
    • Risks Digest 28.35
      ... Ontario Provincial Police Recommend Ending Anonymity on the Internet ... Microsoft reports CRITICAL Vulnerability in Windows 7/2003 and later ... "Apple security checks may still miss iWorm malware" (Jeremy Kirk via ... Risks of assuming votes are accurate ...
      (comp.risks)
    • [NT] Vulnerability in OLE Automation Allows Code Execution
      ... Get your security news from a reliable source. ... This critical security update resolves a privately reported vulnerability. ... compromised Web sites and advertisement servers could contain specially ... mode sets the security level for the Internet zone to High. ...
      (Securiteam)
    • [NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-008)
      ... Get your security news from a reliable source. ... A privilege elevation vulnerability exists in Windows because of the way ... MS03-040 or a later Cumulative Security Update for Internet Explorer. ... Note Setting the level to High may cause some Web sites to work ...
      (Securiteam)
    • [NT] Vulnerability in Windows Explorer Allows Execution (MS06-057)
      ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Windows Shell due to ... Prevent the WebViewFolderIcon ActiveX object from running in Internet ... Web sites that use the WebViewFolderIcon ActiveX ...
      (Securiteam)