Follow:

Vulnerability:Win/SMB.IndexSrv.RCE!CVE-2004-0897

Severity rating
Important

Class/Type
Vulnerability

Discovered date
2005-01-11T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

A remote code execution vulnerability exists in the Indexing Service because of the way that it handles query validation. An attacker could exploit the vulnerability by constructing a malicious query that could potentially allow remote code execution on an affected system.



Impact

An attacker who successfully exploited this vulnerability could take complete control of an affected system. While remote code execution is possible, an attack would most likely result in a denial of service condition.



Technical details (analysis)

The Indexing Service is a base service for the affected operating systems. Formerly known as Index Server, its original function was to index the content of Internet Information Services (IIS) Web servers. Indexing Service now creates indexed catalogs for the contents and properties of both file systems and virtual Webs. A malicious index query to an Index Server could result in a RCE, due to the way that the Index Service maps numerical string values.



Affected software

Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition



Non-affected software

Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows XP Service Pack 2
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)



References




Solutions




NIS signature

Name: Vulnerability:Win/SMB.IndexSrv.RCE!CVE-2004-0897
Release Date: 2005-01-11T00:00:00



Known false positives

No known false positives at this time



Work-arounds

Block the following at the firewall.
Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003.
Enable advanced TCP/IP filtering on systems that support this feature.
Block the affected ports by using IPSec on the affected systems.
Remove the Indexing Service if you do not need it.