Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21
HistoryMar 31, 2000 - 12:00 a.m.

Security Bulletin (MS00-006)

2000-03-3100:00:00
vulners.com
43

Microsoft Security Bulletin (MS00-006)


Patch Available for "Malformed Hit-Highlighting Argument"
Vulnerability

Originally Posted: January 26, 2000
Revised March 31, 2000

Summary

On January 26, 2000 Microsoft released the original version of this
bulletin to announce the availability of a patch that eliminates two
security vulnerabilities in Microsoft(r) Index Server. The first
vulnerability could allow a malicious user to view – but not to
change, add or delete – files on a web server. The second
vulnerability could reveal where web directories are physically
located on the server.

On February 04, 2000, a new variant of the second vulnerability was
discovered, which was already eliminated by the patch. Microsoft
updated this bulletin in order to advise customers of it, but
customers who already applied the patch did not need to take any
action.

On February 11, 2000, Microsoft re-released the Windows 2000 version
of this patch to take advantage of improvements in the Hotfix
packaging tool. These improvements enable the hotfix tool to detect
the default language of the system, and also give users better
inventory control based on the Knowledge Base article and Service
Pack. Although the patch itself was not changed by this re-release,
Microsoft nevertheless recommended that Windows 2000 customers apply
the new version in order to ensure that the new tool was present on
their systems.

On March 31, 2000, Microsoft re-released the Windows NT 4.0 version of
this patch, to address a recently-discovered variant of the
vulnerability. Only the Windows NT 4.0 patch was affected by the new
variant.

Frequently asked questions about this vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-006.asp

Issue

This patch eliminates two vulnerabilities whose only relationship is
that both occur in Index Server. The first is the "Malformed
Hit-Highlighting Argument" vulnerability. The ISAPI filter that
implements the hit-highlighting (also known as "WebHits")
functionality does not adequately constrain what files can be
requested. By providing a deliberately-malformed argument in a
request to hit-highlight a document, it is possible to escape the
virtual directory. This would allow any file residing on the server
itself, and on the same logical drive as the web root directory, to be
retrieved regardless of permissions. A new variant of this
vulnerability was announced on March 31, 2000. This variant could
allow the source of server-side files such as .ASP files to be read.
The new variant affects only Index Server 2.0, and Windows 2000
customers who applied the original patch were never at risk from it.

The second vulnerability involves the error message that is returned
when a user requests a non-existent Internet Data Query file. The
error message provides the physical path to the web directory that was
contained in the request. Although this vulnerability would not allow
a malicious user to alter or view any data, it could be a valuable
reconnaissance tool for mapping the file structure of a web server. A
new variant of this vulnerability was announced on February 04, 2000.
This variant could allow a malicious user to read files. The variant
was eliminated by the original patch, and customers who applied the
original version of the patch were never at risk from it.

Indexing Services in Windows 2000 is affected only by the "Malformed
Hit-Highlighting" vulnerability - it is not affected by the second
vulnerability. Also, it is important to note that, although Indexing
Services in Windows 2000 is installed by default, it is not started
unless the administrator has explicitly turned it on.

Affected Software Versions

  • Microsoft Index Server 2.0
  • Indexing Service in Windows 2000

Patch Availability

NOTE: The Download Center page incorrectly gives 26 January 2000 as
the date of the patch. We are working to correct this error, but have
verified that the patch that is on the Download Center is the most
recent version.

NOTE: Additional security patches are available at the Microsoft
Download Center.

More Information

Please see the following references for more information related to
this issue.

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments

Microsoft thanks David Litchfield of Cerberus Information Security,
Ltd, (http://www.cerberus-infosec.co.uk) for reporting the "Malformed
Hit-Highlighting Argument" vulnerability to us and working with us to
protect customers.

Revisions

  • January 26, 2000: Bulletin Created.
  • February 04, 2000: Bulletin revised to provide additional detail
    about Indexing Services, and to discuss an additional variant of
    the "Malformed Hit-Highlighting Argument" vulnerability that is
    eliminated by the original patch.
  • February 11, 2000: Bulletin revised to reflect availability of
    patch for Windows 2000 with new version of Hotfix.exe
  • March 31, 2000: Bulletin revised to discuss new variant of
    "Malformed Hit-Highlighting Argument" vulnerability affecting
    Windows NT 4.0.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.

Last updated Friday, March 31, 2000
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.