Thread: What is 'buffer overrun vulnerability' in IIS?

  1. #1
    Web admin

    What is 'buffer overrun vulnerability' in IIS?

    Recently, Code Run has been very famous because it infects so many IIS servers. MS said that Code Red infect IIS by exploiting the 'buffer overrun vulnerability' of IIS, I would like to ask what is 'buffer overrun vulnerability'? Could anyone give me some insights? Thanks.

  2. #2
    the hat of redundancy hat nvoigt's Avatar
    Join Date
    Aug 2001
    Hannover, Germany

    Technical description:
    As part of its installation process, IIS installs several ISAPI extensions -- .dlls that provide extended functionality. Among these is idq.dll, which is a component of Index Server (known in Windows 2000 as Indexing Service) and provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files).

    A security vulnerability results because idq.dll contains an unchecked buffer in a section of code that handles input URLs. An attacker who could establish a web session with a server on which idq.dll is installed could conduct a buffer overrun attack and execute code on the web server. Idq.dll runs in the System context, so exploiting the vulnerability would give the attacker complete control of the server and allow him to take any desired action on it.

    The buffer overrun occurs before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing Service, the service would not need to be running in order for an attacker to exploit the vulnerability. As long as the script mapping for .idq or .ida files were present, and the attacker were able to establish a web session, he could exploit the vulnerability.

    Clearly, this is a serious vulnerability, and Microsoft urges all customers to take action immediately. Customers who cannot install the patch can protect their systems by removing the script mappings for .idq and .ida files via the Internet Services Manager in IIS. However, as discussed in detail in the FAQ, it is possible for these mappings to be automatically reinstated if additional system components are added or removed. Because of this, Microsoft recommends that all customers using IIS install the patch, even if the script mappings have been removed.
    So by entering a web address that is longer than the
    buffer for that address in IIS, the rest of the line would
    be written to some part in memory. Now, if you know
    where that is, you can place binary code there. If
    this is executed, it can do almost anything.

    She was so Blonde, she spent 20 minutes looking at the orange juice can because it said "Concentrate."

    When in doubt, read the FAQ.
    Then ask a smart question.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Creating buffer overrun
    By suckss in forum C Programming
    Replies: 2
    Last Post: 11-10-2006, 05:21 AM
  2. Replies: 16
    Last Post: 10-29-2006, 05:04 AM
  3. Buffer Overrun Project, Problem Entering NULL in to stream
    By Peter5897 in forum C++ Programming
    Replies: 2
    Last Post: 07-10-2006, 05:12 PM
  4. Console Screen Buffer
    By GaPe in forum Windows Programming
    Replies: 0
    Last Post: 02-06-2003, 05:15 AM