Last revised: January 17, 2002
Source: CERT/CC
A complete revision history is at the end of this file.
A vulnerability exists in the Indexing Services used by Microsoft
IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta
versions of Windows XP. This vulnerability allows a remote intruder to
run arbitrary code on the victim machine.
Since specific technical details on how to create an exploit are
publicly available for this vulnerability, system administrators
should apply fixes or workarounds on affected systems as soon as
possible.
A translation of this advisory into Polish is available at http://www.cert.pl/CA/CA-2001-13-PL.html.
Anyone who can reach a vulnerable web server can execute arbitrary
code in the Local System security context. This results in the
intruder gaining complete control of the system. Note that this may be
significantly more serious than a simple "web defacement."
Apply patches for vulnerable Windows NT 4.0 and Windows 2000 systems:
For Windows NT 4.0: Users of Windows 2000 Datacenter Server software should contact
their original equipment manufacturer (OEM) for patches. A list of OEM
providers may be found here:
Users of beta copies of Windows XP should upgrade to a newer version
of the software when it becomes available.
All affected versions of IIS/Indexing Services can be protected
against exploits of this vulnerability by removing script mappings for Internet Data Administration (.ida) and Internet Data Query (.idq)
files. However, such mappings may be recreated when installing other related
software components.
The following documents regarding this vulnerability are available
from Microsoft:Systems Affected
Overview
II. Impact
III. Solution
Apply a patch from your vendor
For Windows 2000 Professional, Server, and Advanced Server:
Workarounds
Appendix A. Vendor Information
Microsoft Corporation
References
Feedback concerning this document may be directed to Jeffrey S. Havrilla.
Copyright 2001 Carnegie Mellon University.
Revision History
Jun 19, 2001: Initial Release Jun 21, 2001: Removed statement about patch supersession Jul 17, 2001: Updated Feedback link Jul 30, 2001: Added link to Polish translation Aug 16, 2001: Added link to Microsoft Security Bulletin MS01-044 Jan 17, 2002: Updated Feedback link