The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in the Indexing Service Allows Remote Code Execution
(MS05-003)
------------------------------------------------------------------------
SUMMARY
A remote code execution vulnerability exists in the Indexing Service
because of the way that it handles query validation. An attacker could
exploit the vulnerability by constructing a malicious query that could
potentially allow remote code execution on an affected system. An attacker
who successfully exploited this vulnerability could take complete control
of an affected system. While remote code execution is possible, an attack
would most likely result in a denial of service condition.
DETAILS
Affected Software:
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=CFA4F3DA-0C2B-44B3-83DB-EB4D8C5B3B13>
Download the update
* Microsoft Windows XP Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=FB8A7622-94AB-44E7-85C3-163BAC4602E2>
Download the update
* Microsoft Windows XP 64-Bit Edition Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=30A83F1D-87E9-4720-8316-191AE509F094>
Download the update
* Microsoft Windows XP 64-Bit Edition Version 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=C3474E75-1FE2-4215-8A8D-A9244FF93419>
Download the update
* Microsoft Windows Server 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=50F72DC5-5DD6-4D12-A91C-6815EC8203EF>
Download the update
* Microsoft Windows Server 2003 64-Bit Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=C3474E75-1FE2-4215-8A8D-A9244FF93419>
Download the update
Non-Affected Software:
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
* Microsoft Windows XP Service Pack 2
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
Affected Components:
* Indexing Service
CVE Information:
Indexing Service Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0897>
CAN-2004-0897
Mitigating Factors:
* The Indexing Service is not enabled by default on the affected systems.
* Even when the Indexing Service is installed, by default it is not
accessible from Internet Information Services (IIS). Manual steps are
required to enable (IIS) to become a Web-based interface for the Indexing
Service. By default the Indexing Service is used only to perform local and
remote file system queries. Web-based query pages must be created or
installed manually that will allow IIS to receive queries from anonymous
users and pass those queries to the Indexing Service.
* Only users with permissions to access the manually created or installed
queries pages would be able to attempt to exploit this vulnerability
through IIS. If these Web-based query pages require authenticated access,
anonymous users would not be able to exploit this vulnerable through IIS.
* If none of the Web-based query methods have been manually enabled, only
authenticated users would be able to attempt to exploit this vulnerability
through remote file system queries.
* Windows 2000 is not affected by this vulnerability. However the
additional security-related change does affect Windows 2000 and we
recommend customers install this update.
* Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed.
Workarounds:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.
Block the following at the firewall:
UDP ports 137 and 138 and TCP ports 139 and 445
These ports could be used to initiate a connection with the Indexing
Service to perform file system based queries. Blocking them at the
firewall will help prevent systems that are behind that firewall from
attempts to exploit this vulnerability through these ports. We recommend
that you block all unsolicited inbound communication from the Internet to
help prevent attacks that may use other ports.
Use a personal firewall such as the Internet Connection Firewall, which is
included with Windows XP and Windows Server 2003.
If you use the Internet Connection Firewall feature in Windows XP or in
Windows Server 2003 to help protect your Internet connection, it blocks
unsolicited inbound traffic by default. We recommend that you block all
unsolicited inbound communication from the Internet.
To enable the Internet Connection Firewall feature by using the Network
Setup Wizard, follow these steps:
1.Click Start, and then click Control Panel.
2.In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your system
is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection,
follow these steps:
1.Click Start, and then click Control Panel.
2.In the default Category View, click Networking and Internet Connections,
and then click Network Connections.
3.Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.
4.Click the Advanced tab.
5.Click to select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check box, and then
click OK.
Note If you want to enable the use of some programs and services through
the firewall, click Settings on the Advanced tab, and then select the
programs, protocols, and services that are required.
Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound
traffic. For more information about how to configure TCP/IP filtering, see
<http://support.microsoft.com/kb/309798> Microsoft Knowledge Base Article
309798.
Block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and how to apply filters
is available in <http://support.microsoft.com/kb/313190> Microsoft
Knowledge Base Article 313190 and
<http://support.microsoft.com/kb/813878> Microsoft Knowledge Base Article
813878.
Remove the Indexing Service if you do not need it:
If the Indexing Service is no longer needed, you could remove it by
following this procedure.
To configure components and services:
1.In Control Panel, open Add or Remove Programs.
2.Click Add/Remove Windows Components.
3.Click to clear the Indexing Service check box to remove the Indexing
Service.
4.Complete the Windows Components Wizard by following the instructions on
the screen.
You could modify any web pages that use the Index Service to block queries
longer than 60 characters. <http://support.microsoft.com/kb/890621>
Microsoft Knowledge Base Article 890621 provides more information on how
to perform these steps.
Frequently Asked Questions:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full privileges. While remote
code execution is possible, an attack would most likely result in a denial
of service condition. There are also significant mitigating factors that
exist that helps reduce the severity of this vulnerability. For more
information see the Mitigating Factors section of the security bulletin.
What causes the vulnerability?
An unchecked buffer in the Indexing Service.
What is Indexing Service?
The Indexing Service is a base service for the affected operating systems.
Formerly known as Index Server, its original function was to index the
content of Internet Information Services (IIS) Web servers. Indexing
Service now creates indexed catalogs for the contents and properties of
both file systems and virtual Webs.
The Indexing Service is available to applications and scripts for
providing an efficient means of managing, querying, and indexing
information in file systems or Web servers. Indexing Service also provides
query mechanisms for efficiently accessing the information in the
catalogs. The indexed information results from filtering the file systems
and the Web servers using Microsoft-supplied filters and, optionally,
custom-supplied filters.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.
Who could exploit the vulnerability?
On systems where administrators have manually performed multiple steps and
have enabled an anonymous Web-based query interface through Internet
Information Services (IIS) to the Indexing Service, any anonymous user who
could deliver a specially crafted message to the affected system could
attempt to exploit this vulnerability. By default, the Indexing Service
does not enable the Web-based query interface. However, the Indexing
Service does listen on the local network interface for communication
requests by default. Any authenticated user could attempt to exploit this
vulnerable by sending a specially-crafted network packet to the Indexing
Service. This vulnerability could also be used locally by an authenticated
user to attempt a local elevation of privilege attack.
What systems are primarily at risk from the vulnerability?
Systems that have the Indexing Service enabled are primarily at risk from
this vulnerability from local or network based attacks. Systems that have
the Indexing Service accessible through IIS are at risk from this
vulnerability from Internet based attacks. If the Indexing Service is not
enabled the system would not be vulnerable to this issue. None of the
affected systems enable the Indexing Service by default.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information on how you can help protect
your PC. End users can visit the Protect Your PC Web site. IT
Professionals can visit the Security Guidance Center Web site.
What does the update do?
The update removes the vulnerability by modifying the way that Indexing
Service validates the length of a message before it passes the message to
the allocated buffer.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly disclosed when this security bulletin was
originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS05-003.mspx>
http://www.microsoft.com/technet/security/bulletin/MS05-003.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
