Vulnerabilities > CVE-2001-0500 - Buffer Overflow vulnerability in Microsoft products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
exploit available
metasploit
NVD
Published: 2001-07-21
Updated: 2018-10-12

Summary

Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.

Vulnerable Configurations

Part Description Count
Application
Microsoft
3

Exploit-Db

  • descriptionMS Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow (2). CVE-2001-0500. Remote exploit for windows platform
    idEDB-ID:20931
    last seen2016-02-02
    modified2001-06-21
    published2001-06-21
    reporterhsj
    sourcehttps://www.exploit-db.com/download/20931/
    titleMicrosoft Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow 2
  • descriptionMS Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow (4). CVE-2001-0500. Remote exploit for windows platform
    idEDB-ID:20933
    last seen2016-02-02
    modified2001-06-18
    published2001-06-18
    reporterblackangels
    sourcehttps://www.exploit-db.com/download/20933/
    titleMicrosoft Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow 4
  • descriptionMicrosoft IIS 5.0 IDQ Path Overflow. CVE-2001-0500. Remote exploit for windows platform
    idEDB-ID:16472
    last seen2016-02-01
    modified2010-06-15
    published2010-06-15
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16472/
    titleMicrosoft IIS 5.0 IDQ Path Overflow
  • descriptionMS Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow (1). CVE-2001-0500. Dos exploit for windows platform
    idEDB-ID:20930
    last seen2016-02-02
    modified2001-06-18
    published2001-06-18
    reporterPs0
    sourcehttps://www.exploit-db.com/download/20930/
    titleMicrosoft Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow 1
  • descriptionMS Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow (3). CVE-2001-0500. Remote exploit for windows platform
    idEDB-ID:20932
    last seen2016-02-02
    modified2001-06-18
    published2001-06-18
    reportermat
    sourcehttps://www.exploit-db.com/download/20932/
    titleMicrosoft Index Server 2.0 and Indexing Service for Win 2000 ISAPI Extension Buffer Overflow 3

Metasploit

descriptionThis module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server.
idMSF:EXPLOIT/WINDOWS/IIS/MS01_033_IDQ
last seen2020-05-22
modified2017-07-24
published2006-09-13
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0500
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/iis/ms01_033_idq.rb
titleMS01-033 Microsoft IIS 5.0 IDQ Path Overflow

Nessus

NASL familyWeb Servers
NASL idIIS_ISAPI_OVERFLOW.NASL
descriptionThere
last seen2020-06-01
modified2020-06-02
plugin id10685
published2001-06-19
reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10685
titleMicrosoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)
code
#
# (C) Tenable Network Security, Inc.
#

# This script was written by Renaud Deraison <[email protected]>
# It was modified by H D Moore to not crash the server during the test
#
# Supercedes MS01-033


include("compat.inc");

if(description)
{
 script_id(10685);
 script_version ("1.51");
 script_cve_id( "CVE-2001-0544", "CVE-2001-0545", "CVE-2001-0506", "CVE-2001-0507", "CVE-2001-0508", "CVE-2001-0500");
 script_bugtraq_id(2690, 2880, 3190, 3193, 3194, 3195);
 script_xref(name:"MSFT", value:"MS01-033");
 script_xref(name:"MSFT", value:"MS01-044");
 script_xref(name:"MSKB", value:"294774");
 script_xref(name:"MSKB", value:"297860");
 script_xref(name:"MSKB", value:"298340");
 script_xref(name:"MSKB", value:"300972");
 script_xref(name:"MSKB", value:"301625");
 script_xref(name:"MSKB", value:"304867");
 script_xref(name:"MSKB", value:"305359");

 script_name(english:"Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"There's a buffer overflow in the remote web server through
the ISAPI filter.
 
It is possible to overflow the remote web server and execute 
commands as user SYSTEM.

Additionally, other vulnerabilities exist in the remote web
server since it has not been patched." );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-033" );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044" );
 script_set_attribute(attribute:"solution", value:
"Apply the patches from the bulletins above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"plugin_publication_date", value: "2001/06/19");
 script_set_attribute(attribute:"patch_publication_date", value: "2001/06/18");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/05/06");
 script_cvs_date("Date: 2018/11/15 20:50:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
script_end_attributes();


 script_summary(english:"Tests for a remote buffer overflow in IIS");
 script_category(ACT_ATTACK);
 script_family(english:"Web Servers");
 script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
 script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

# The attack starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
b = get_http_banner(port: port);
if ("IIS" >!< h ) exit(0);
   
     
w = http_send_recv3(method: "GET", port: port,
  item: "/x.ida?"+crap(length:220, data:"x")+"=x");
if (isnull(w)) exit(1, "the web server did not answer");
r = strcat(w[0], w[1], '\r\n', w[2]);

    # 0xc0000005 == "Access Violation"
    if ("0xc0000005" >< r)
    {
        security_hole(port);
    }

Oval

accepted2011-05-16T04:02:11.628-04:00
classvulnerability
contributors
  • nameTiffany Bergeron
    organizationThe MITRE Corporation
  • nameTiffany Bergeron
    organizationThe MITRE Corporation
  • nameGlenn Strickland
    organizationSecure Elements, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameSudhir Gandhe
    organizationTelos
  • nameShane Shaffer
    organizationG2, Inc.
descriptionBuffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.
familywindows
idoval:org.mitre.oval:def:197
statusaccepted
submitted2004-01-14T12:00:00.000-04:00
titleIIS ISAPI Extension Indexing Service Buffer Overflow (Code Red)
version70

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82956/ms01_033_idq.rb.txt
idPACKETSTORM:82956
last seen2016-12-05
published2009-11-26
reporterMC
sourcehttps://packetstormsecurity.com/files/82956/Microsoft-IIS-5.0-IDQ-Path-Overflow.html
titleMicrosoft IIS 5.0 IDQ Path Overflow

References