Microsoft Security Bulletin MS01-025

Technical description:

The patches discussed below address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker's choice could be made to run on the server, in the Local System security context.

The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006. The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.

Mitigating factors:

• Index Server 2.0 buffer overrun:
  • In order to exploit the vulnerability, the attacker would need the ability to authenticate to the server and to create a named pipe connection to it (which requires access to NetBIOS, which should be blocked at the firewall). As a result, it is likely that this vulnerability could, in a properly configured network, only be exploited by an intranet user.
  • The vulnerability only affects Index Server 2.0. Indexing Services in Windows 2000 is not affected by it.
  • Index Server 2.0 is not provided as part of Windows NT 4.0; instead, it is part of the Windows NT 4.0 Option Pack. It installs by default as part of that package, but does not run by default.
• New Variant of "Malformed Hit-Highlighting" vulnerability:
  • The vulnerability would only allow files to be read. They could not be added, changed or deleted via this vulnerability.
  • Server-side "include" files should not contain sensitive data. If this recommendation has been followed, there would be no sensitive data to compromise via this vulnerability.
  • The vulnerability would only allow files residing on the web server - and in the same logical drive as the server's root directory - to be read. It would not allow files elsewhere on the server, or files residing on a remote server, to be read.

Vulnerability identifier:

• Index Server 2.0 buffer overrun: CAN-2001-0244
• New variant of "Malformed Hit-Highlighting" vulnerability: CAN-2001-0245

Tested Versions:

Microsoft tested Index Server 2.0 and Indexing Service in Windows 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What vulnerabilities are discussed in this bulletin?
This bulletin discusses two vulnerabilities that are unrelated, except by the fact that both affect Index Server. The vulnerabilities are:

• A vulnerability affecting only Index Server 2.0, that could allow an attacker to run code on the index server.
• A new variant of a previously discussed vulnerability affecting both Index Server 2.0 and Indexing Service in Windows 2000.

What are Index Server and Indexing Service? 
Index Server 2.0 is a full-text indexing and search engine that was shipped as part of the Windows NT 4.0 Option Pack. In Windows 2000, this capability was provided as a native service, known as Indexing Service.
Both Index Server 2.0 and Indexing Service provide the ability to make data on a web site or server searchable. This enables users to use a web browser to search for documents based on keywords, phrases or properties.

What's the scope of the first vulnerability?
The first vulnerability is a buffer overrun vulnerability affecting Index Server 2.0. By providing a specially malformed parameter in a search request, an attacker could cause either of two effects. In the simpler case, she could cause Index Server 2.0 to fail. In the more complex case, she could cause code of her choice to execute on the server. This code would run with system privileges, and could therefore take any desired action on the server.
Because of the specific circumstances under which the vulnerability occurs, the attacker would need to already have some privileges on the machine. In addition, proper firewalling would serve to prevent an Internet user from exploiting the vulnerability. Finally, it's important to note that only Index Server 2.0 is affected - Indexing Service is not.

What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in a section of code that processes search requests. By providing a specially malformed search parameter, an attacker could overrun the buffer.

What would this enable an attacker to do?
As is usually the case in buffer overrun vulnerabilities, an attacker could exploit the vulnerability in either of two ways. If she supplied a sufficiently large quantity of random data in the affected parameter, it would cause the service to fail. This would not cause any other services to fail, nor would it cause the server itself to fail. Nevertheless, other users would be unable to perform searches until the administrator restarted Index Server.
On the other hand, if she supplied carefully selected data as the parameter, it would be possible for the attacker to, in essence, modify the Index Server code as it was running. This would allow her to introduce new functionality if she wished. Because Index Server runs in the Local System context, the attacker's code would have sufficient privileges to perform any desired action, such as altering web content or reformatting the hard drive.

Would the latter attack allow the attacker to take over a network?
Although the vulnerability would enable the user to gain complete control over the server, it would not give her any elevated privileges on the network. By default, Index Server runs in the security context of a local, not domain, account. Of course, it would be possible for a domain administrator to reconfigure Index Server to run in a domain security context, but this is extremely bad practice.

Could an attacker exploit this vulnerability from the Internet?
In most cases, this vulnerability could only be exploited by a network insider. To levy the search request, the attacker would need a valid user account on the server. In addition, she would need the ability to create a named pipe connection to the server, which requires access to the NetBIOS ports on the server. However, NetBIOS should always be blocked at the firewall.

Is Index Server 2.0 installed on Windows NT 4.0 systems by default?
Index Server 2.0 isn't provided as part of Windows NT 4.0; instead, it comes as part of the Windows NT 4.0 Option Pack. If installed as part of the Option Pack, it does run by default.

Does this vulnerability affect Windows 2000 systems?
No. Indexing Service in Windows 2000 does not contain the unchecked buffer, and is not affected by the vulnerability.

What does the patch do?
The patch eliminates the vulnerability by ensuring that Index Server 2.0 properly checks the length of all search parameters before using them.

What's the scope of the second vulnerability?
The second vulnerability is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006. It could allow a malicious user to view - but not add, change or delete - files that reside on a web server.
The vulnerability only affects files that reside on the web server itself, and only on the same logical drive as the server's root directory. Files residing on a remote server at a web site - for instance, files on a remote database server - would not be at risk from this vulnerability.

How is the new variant different than the original vulnerability?
The new variant is, for all practical purposes, exactly the same as the original one, except in the specific type of files it would enable an attacker to read. The new variant could enable "include" files to be read, even after applying the original patch.

What's an "include" file?
"include" files are ones that contain information that will be incorporated into a program file when it executes. Typically, these files contain parameters or commonly used code. However, they should never contain sensitive information like passwords. If this recommendation has been followed, even an attacker who could read the files would gain nothing from them.

Does this vulnerability affect both Index Server 2.0 and Indexing Service?
Yes.

What does the patch do?
The patch extends the protection offered by the original patch, to also prevent the new variant from succeeding.

If I apply this patch, do I need to apply the original patch?
No. This patch completely supersedes the one provided in Microsoft Security Bulletin MS00-006.

Download locations for this patch

• Index Server 2.0:
  • Index Server buffer overrun:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=18264A15-EBCF-4563-82B5-2F1681BACB8D&displaylang=en

  • New variant of "Malformed Hit-Highlighting" vulnerability:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=E1163A39-BD80-4D73-BE6B-EC164AD4E8EF&displaylang=en

• Indexing Service in Windows 2000 Professional, Server and Advanced Server:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=4E921C3D-0FEA-4EA7-929A-0441590A8E40&displaylang=en

• Indexing Service in Windows 2000 Datacenter Server:

  Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer