Vulnerability in the Indexing Service Allows Remote Code Execution (MS05-003)
12 Jan. 2005
Summary
A remote code execution vulnerability exists in the Indexing Service because of the way that it handles query validation. An attacker could exploit the vulnerability by constructing a malicious query that could potentially allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. While remote code execution is possible, an attack would most likely result in a denial of service condition.
Non-Affected Software:
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
* Microsoft Windows XP Service Pack 2
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Affected Components:
* Indexing Service
CVE Information:
Indexing Service Vulnerability - CAN-2004-0897
Mitigating Factors:
* The Indexing Service is not enabled by default on the affected systems.
* Even when the Indexing Service is installed, by default it is not accessible from Internet Information Services (IIS). Manual steps are required to enable (IIS) to become a Web-based interface for the Indexing Service. By default the Indexing Service is used only to perform local and remote file system queries. Web-based query pages must be created or installed manually that will allow IIS to receive queries from anonymous users and pass those queries to the Indexing Service.
* Only users with permissions to access the manually created or installed queries pages would be able to attempt to exploit this vulnerability through IIS. If these Web-based query pages require authenticated access, anonymous users would not be able to exploit this vulnerable through IIS.
* If none of the Web-based query methods have been manually enabled, only authenticated users would be able to attempt to exploit this vulnerability through remote file system queries.
* Windows 2000 is not affected by this vulnerability. However the additional security-related change does affect Windows 2000 and we recommend customers install this update.
* Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Workarounds:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
Block the following at the firewall:
UDP ports 137 and 138 and TCP ports 139 and 445
These ports could be used to initiate a connection with the Indexing Service to perform file system based queries. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability through these ports. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003.
If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. We recommend that you block all unsolicited inbound communication from the Internet.
To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:
1.Click Start, and then click Control Panel.
2.In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection, follow these steps:
1.Click Start, and then click Control Panel.
2.In the default Category View, click Networking and Internet Connections, and then click Network Connections.
3.Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
4.Click the Advanced tab.
5.Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.
Note If you want to enable the use of some programs and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services that are required.
Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.
Remove the Indexing Service if you do not need it:
If the Indexing Service is no longer needed, you could remove it by following this procedure.
To configure components and services:
1.In Control Panel, open Add or Remove Programs.
2.Click Add/Remove Windows Components.
3.Click to clear the Indexing Service check box to remove the Indexing Service.
4.Complete the Windows Components Wizard by following the instructions on the screen.
You could modify any web pages that use the Index Service to block queries longer than 60 characters. Microsoft Knowledge Base Article 890621 provides more information on how to perform these steps.
Frequently Asked Questions: What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. While remote code execution is possible, an attack would most likely result in a denial of service condition. There are also significant mitigating factors that exist that helps reduce the severity of this vulnerability. For more information see the Mitigating Factors section of the security bulletin.
What causes the vulnerability?
An unchecked buffer in the Indexing Service.
What is Indexing Service?
The Indexing Service is a base service for the affected operating systems. Formerly known as Index Server, its original function was to index the content of Internet Information Services (IIS) Web servers. Indexing Service now creates indexed catalogs for the contents and properties of both file systems and virtual Webs.
The Indexing Service is available to applications and scripts for providing an efficient means of managing, querying, and indexing information in file systems or Web servers. Indexing Service also provides query mechanisms for efficiently accessing the information in the catalogs. The indexed information results from filtering the file systems and the Web servers using Microsoft-supplied filters and, optionally, custom-supplied filters.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
On systems where administrators have manually performed multiple steps and have enabled an anonymous Web-based query interface through Internet Information Services (IIS) to the Indexing Service, any anonymous user who could deliver a specially crafted message to the affected system could attempt to exploit this vulnerability. By default, the Indexing Service does not enable the Web-based query interface. However, the Indexing Service does listen on the local network interface for communication requests by default. Any authenticated user could attempt to exploit this vulnerable by sending a specially-crafted network packet to the Indexing Service. This vulnerability could also be used locally by an authenticated user to attempt a local elevation of privilege attack.
What systems are primarily at risk from the vulnerability?
Systems that have the Indexing Service enabled are primarily at risk from this vulnerability from local or network based attacks. Systems that have the Indexing Service accessible through IIS are at risk from this vulnerability from Internet based attacks. If the Indexing Service is not enabled the system would not be vulnerable to this issue. None of the affected systems enable the Indexing Service by default.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information on how you can help protect your PC. End users can visit the Protect Your PC Web site. IT Professionals can visit the Security Guidance Center Web site.
What does the update do?
The update removes the vulnerability by modifying the way that Indexing Service validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.