Michael Roberts wrote:
>
> What? Is default.ida CodeRed?
From:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp
--------
As part of its installation process, IIS installs several ISAPI
extensions -- .dlls that provide extended functionality. Among these is
idq.dll, which is a component of Index Server (known in Windows 2000 as
Indexing Service) and provides support for administrative scripts (.ida
files) and Internet Data Queries (.idq files).
A security vulnerability results because idq.dll contains an unchecked
buffer in a section of code that handles input URLs.
--------
The codered worm sends a query to /default.ida which activates idq.dll.
Further along it says:
---------
Q. If the attacker exploited the vulnerability to run code on the
server, what security context would it run in?
A. It would run with Local System privileges. The effect of exploiting
the vulnerability would effectively be to modify idq.dll while it was
running; because idq.dll runs as part of the operating system, so would
the attacker?s code.
---------
And MS wants to be the security guy for all your personal info!
--Tom Jackson
