The IIS Indexing Buffer Overflow

For the second time in three months, an unchecked buffer in an Internet Services API (ISAPI) extension for Microsoft’s Internet Information Server (IIS) has created major security vulnerabilities. The latest problem, which affects Windows NT, Windows 2000, Windows XP (beta), and Windows .NET Server (beta) resides in the Indexing ISAPI extension. Both this Indexing ISAPI problem and a previous problem with the Internet Printing ISAPI extension (see “IIS 5.0 Printing Major Security Threat” on page 10 of the June 2001 Update) are serious vulnerabilities, as a remote attacker could exploit either problem to gain complete control of the system.

An ISAPI extension is a DLL that adds functionality to an IIS server; for example, the Indexing ISAPI extension is a component of the Index Server (in Windows 2000 the Indexing Service) that provides support for scripts and data queries that use the Index Server. The buffer overflow in the Indexing ISAPI extension can be exploited before any request for indexing is made. So, even if the service is not running, but a script is mapping for Index Server file types (.ida or .idq files), an attacker can establish a Web session and exploit the vulnerability.