Microsoft Security Bulletin MS01-025

Technical description:

The patches discussed below address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker's choice could be made to run on the server, in the Local System security context.

The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006. The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.

Mitigating factors: 

Vulnerability identifier: 

Tested Versions:

Microsoft tested Index Server 2.0 and Indexing Service in Windows 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What vulnerabilities are discussed in this bulletin?
This bulletin discusses two vulnerabilities that are unrelated, except by the fact that both affect Index Server. The vulnerabilities are:

What are Index Server and Indexing Service? 
Index Server 2.0 is a full-text indexing and search engine that was shipped as part of the Windows NT 4.0 Option Pack. In Windows 2000, this capability was provided as a native service, known as Indexing Service.
Both Index Server 2.0 and Indexing Service provide the ability to make data on a web site or server searchable. This enables users to use a web browser to search for documents based on keywords, phrases or properties.

What's the scope of the first vulnerability?
The first vulnerability is a buffer overrun vulnerability affecting Index Server 2.0. By providing a specially malformed parameter in a search request, an attacker could cause either of two effects. In the simpler case, she could cause Index Server 2.0 to fail. In the more complex case, she could cause code of her choice to execute on the server. This code would run with system privileges, and could therefore take any desired action on the server.
Because of the specific circumstances under which the vulnerability occurs, the attacker would need to already have some privileges on the machine. In addition, proper firewalling would serve to prevent an Internet user from exploiting the vulnerability. Finally, it's important to note that only Index Server 2.0 is affected - Indexing Service is not.

What causes the vulnerability?
The vulnerability results because there is an unchecked buffer in a section of code that processes search requests. By providing a specially malformed search parameter, an attacker could overrun the buffer.

What would this enable an attacker to do?
As is usually the case in buffer overrun vulnerabilities, an attacker could exploit the vulnerability in either of two ways. If she supplied a sufficiently large quantity of random data in the affected parameter, it would cause the service to fail. This would not cause any other services to fail, nor would it cause the server itself to fail. Nevertheless, other users would be unable to perform searches until the administrator restarted Index Server.
On the other hand, if she supplied carefully selected data as the parameter, it would be possible for the attacker to, in essence, modify the Index Server code as it was running. This would allow her to introduce new functionality if she wished. Because Index Server runs in the Local System context, the attacker's code would have sufficient privileges to perform any desired action, such as altering web content or reformatting the hard drive.

Would the latter attack allow the attacker to take over a network?
Although the vulnerability would enable the user to gain complete control over the server, it would not give her any elevated privileges on the network. By default, Index Server runs in the security context of a local, not domain, account. Of course, it would be possible for a domain administrator to reconfigure Index Server to run in a domain security context, but this is extremely bad practice.

Could an attacker exploit this vulnerability from the Internet?
In most cases, this vulnerability could only be exploited by a network insider. To levy the search request, the attacker would need a valid user account on the server. In addition, she would need the ability to create a named pipe connection to the server, which requires access to the NetBIOS ports on the server. However, NetBIOS should always be blocked at the firewall.

Is Index Server 2.0 installed on Windows NT 4.0 systems by default?
Index Server 2.0 isn't provided as part of Windows NT 4.0; instead, it comes as part of the Windows NT 4.0 Option Pack. If installed as part of the Option Pack, it does run by default.

Does this vulnerability affect Windows 2000 systems?
No. Indexing Service in Windows 2000 does not contain the unchecked buffer, and is not affected by the vulnerability.

What does the patch do?
The patch eliminates the vulnerability by ensuring that Index Server 2.0 properly checks the length of all search parameters before using them.

What's the scope of the second vulnerability?
The second vulnerability is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006. It could allow a malicious user to view - but not add, change or delete - files that reside on a web server.
The vulnerability only affects files that reside on the web server itself, and only on the same logical drive as the server's root directory. Files residing on a remote server at a web site - for instance, files on a remote database server - would not be at risk from this vulnerability.

How is the new variant different than the original vulnerability?
The new variant is, for all practical purposes, exactly the same as the original one, except in the specific type of files it would enable an attacker to read. The new variant could enable "include" files to be read, even after applying the original patch.

What's an "include" file?
"include" files are ones that contain information that will be incorporated into a program file when it executes. Typically, these files contain parameters or commonly used code. However, they should never contain sensitive information like passwords. If this recommendation has been followed, even an attacker who could read the files would gain nothing from them.

Does this vulnerability affect both Index Server 2.0 and Indexing Service?
Yes.

What does the patch do?
The patch extends the protection offered by the original patch, to also prevent the new variant from succeeding.

If I apply this patch, do I need to apply the original patch?
No. This patch completely supersedes the one provided in Microsoft Security Bulletin MS00-006.

Download locations for this patch

Installation platforms:

•	The patch for Index Server 2.0 can be installed on systems running Windows NT 4.0 Service Pack 6a, and on which the Windows NT 4.0 Option Pack has been installed.
•	The patch for Indexing Service can be installed on systems running Windows 2000 Gold, Service Pack 1, or the forthcoming Service Pack 2.

Inclusion in future service packs:

•	The Index Server 2.0 fix will be included in Windows NT 4.0 Service Pack 7.
•	The Indexing Service fix will be included in Windows 2000 Service Pack 3.

Superseded patches:

This patch supersedes the one provided in Microsoft Security Bulletin MS00-006.

Verifying patch installation: 

•

Index Server 2.0: • To verify that the patch for the buffer overrun has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q294472. • To verify the individual files in the buffer overrun patch, consult the file manifest in Knowledge Base article Q294472. • To verify that the patch for the new variant of the "Malformed Hit-Highlighting" vulnerability has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q296185. • To verify the individual files in the patch for the new variant of the "Malformed Hit-Highlighting" vulnerability, consult the file manifest in Knowledge Base article Q296185.

•

Indexing Service in Windows 2000: • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q296185. • To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q296185\Filelist

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches are also available from the WindowsUpdate web site

Top of section