OVAL for CVE-2001-0500 (for Win_2K)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OVAL for CVE-2001-0500 (for Win_2K)

Tiffany Bergeron
CVE:ID: CVE-2001-0500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0500

CVE Description: Buffer overflow in ISAPI extension (idq.dll) in Index
Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows
remote attackers to execute arbitrary commands via a long argument to
Internet Data Administration (.ida) and Internet Data Query (.idq)
files.

Microsoft Security Bulletin MS01-033
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
"Unchecked Buffer in Index Server ISAPI Extension Could Enable Web
Server Compromise"

This vulnerability involves a buffer overflow in idq.dll, an ISAPI
extension for Index Server in Windows NT 4.0 and Indexing Service in
Windows 2000. Idq.dll runs in the System context, so exploiting the
vulnerability gives an attacker complete control of the server. Although
this .dll is a component of Index Server and Indexing Service for
supporting .ida and .idq files, the .dll is installed whenever IIS is
installed, and is exposed anytime IIS is running. In addition, the
buffer overflow occurs before any indexing function is requested. So,
this vulnerability is present as long as IIS is present on a system,
even if indexing isn't available. However, if the script mappings for
.ida and .idq files are removed, the vulnerability cannot be exploited.
(Although these mappings may be restored through the addition of other
system components, the vulnerability is not present while they aren't
present.) Microsoft provided a patch for this vulnerability in MS01-033,
as well as more recent cumulative patches for IIS. Windows 2000 Security
Rollup Package 1 and Windows 2000 Service Pack 3 also resolve this
issue.

This is my suggestion for IIS 5.0 using the Windows 2000 schema:

OVAL-ID: OVAL197

CVE-ID: CVE-2001-0500
CVE Description: Buffer overflow in ISAPI extension (idq.dll) in Index
Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows
remote attackers to execute arbitrary commands via a long argument to
Internet Data Administration (.ida) and Internet Data Query (.idq)
files.

Status: DRAFT
Date Modified: 2003-01-09
Platform: Windows 2000

Query Synopsis:
-- Vulnerable software exists
   o IIS 5.0 installed
   o Affected idq.dll versions
   o Patch Q300972_W2K_SP3_x86_en.EXE not installed
   o Patch Q301625_W2K_SP3_x86_EN.exe not installed
   o Patch Q319733_W2K_SP3_X86_EN.exe not installed
   o Patch Q327696_W2K_SP4_X86_EN.exe not installed
   o Windows 2000 Security Rollup Package 1 (SRP1) not installed
   o Windows 2000 Service Pack 3 (or later) not installed
-- Vulnerable configuration
   o .idq script mapping present
   o .ida script mapping present

SELECT 'CAN-2002-0500' FROM Placeholder WHERE EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- IIS 5.0 installed
 (SELECT 'IIS 5.0 Major Version' from Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INetStp' AND
      EntryName = 'MajorVersion' AND
      EntryValue = '5')
AND EXISTS
 (SELECT 'IIS 5.0 Minor Version' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\INetStp' AND
      EntryName = 'MinorVersion' AND
      EntryValue = '0')
AND EXISTS
-- Affected idq.dll versions
     -- Build the FilePath for idq.dll by retrieving the value of
     --   SystemRoot from the registry, and concatenating it with
     --   '\System32\inetsrv\idq.dll' (using || concat. operator):
 (SELECT 'File %windir%\System32\idq.dll version < 5.0.2195.3645' FROM
Win2K_FileAttributes WHERE
      FilePath = ((SELECT EntryValue FROM Win2K_RegistryKeys WHERE
RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
          EntryName = 'SystemRoot') || '\System32\idq.dll') AND
     -- To avoid lexical (string) comparisons of file versions, the
     --   version string (e.g. '5.0.2195.3645') is broken into its
     --   components, stored as numbers.
          (Version1 < 5 OR
          (Version1 = 5 AND Version2 = 0 AND
          (Version3 < 2195 OR
          (Version3 = 2195 AND Version4 < 3645)))))
AND NOT EXISTS
-- Patch Q300972_W2K_SP3_x86_en.EXE installed
 (SELECT 'Patch Q300972 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q300972'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q301625_W2K_SP3_x86_EN.exe (cumulative patch from MS01-044)
installed
 (SELECT 'Patch Q301625 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q301625'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q319733_W2K_SP3_X86_EN.exe (cumulative patch from MS02-018)
installed
 (SELECT 'Patch Q319733 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q319733'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Patch Q327696_W2K_SP4_X86_EN.exe (cumulative patch from MS02-062)
installed
 (SELECT 'Patch Q327696 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey =
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q327696'
AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Windows 2000 Security Roll-up Package 1 installed
 (SELECT 'Windows 2000 Security Roll-up 1 Installed' FROM
Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\HotFix\SP2SRP1' AND
      EntryName = 'Installed' AND
      EntryValue = '1')
AND NOT EXISTS
-- Windows 2000 Service Pack 3 (or later) installed
 (SELECT 'Windows 2000 SP3 Installed' FROM Win2K_RegistryKeys WHERE
      RegistryKey = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion' AND
      EntryName = 'CSDVersion' AND
      EntryValue >= 'Service Pack 3')
-- ### END VULNERABLE SOFTWARE EXISTS
--
-- ### BEGIN VULNERABLE CONFIGURATION
AND EXISTS
-- .idq script mapping
 (SELECT ' Enabled' FROM Win2K_MetabaseKeys WHERE
      MetabaseKey = 'LM\W3SVC' AND
      Id = '6014' AND
      Data LIKE '%.idq%')
AND EXISTS
-- .ida script mapping
 (SELECT ' Enabled' FROM Win2K_MetabaseKeys WHERE
      MetabaseKey = 'LM\W3SVC' AND
      Id = '6014' AND
      Data LIKE '%.ida%')
-- ### END VULNERABLE CONFIGURATION
;

-------------------------
INSERT IDs used:
INSERT18
INSERT22
INSERT23
INSERT65
INSERT80
INSERT82
INSERT120
INSERT135
INSERT175
------------------------
New INSERTIDS:

INSERT120
-- Q300972_W2K_SP3_x86_en.EXE
INSERT INTO Win2K_RegistryKeys_Conf (RegistryKey) VALUES
('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Hotfix\Q300972')

;

INSERT175
-- idq.dll
INSERT INTO Win2K_FileAttributes_Conf (FilePath) VALUES
('%windir%\System32\idq.dll')
;
------------------------

Please provide comments and suggestions.

Thanks,
Tiffany

Microsoft Technical Lead, MITRE's OVAL Team