cbcvebase.
CVE-2001-0500
published 2001-07-21

CVE-2001-0500: Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.73%
99.9th percentile
Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftindex_server
microsoftinternet_information_server<= 6.0

Detection & IOCsextracted from sources · hover to see the quote

filenameidq.dll
filenamedefault.ida
commandGET /<random>.idq?<overflow>=<payload> HTTP/1.0
commandGET /a.idq?<buf>=a HTTP/1.0\r\nShell: <shellcode>\r\n\r\n
other0x77e516de
other0x6e8f3e24
other0x6e8f8cc4
bytes
\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0
  • Detect exploit attempts by monitoring HTTP GET requests to URIs containing '.idq?' or '.ida?' with abnormally long query strings (>232 bytes), characteristic of the CVE-2001-0500 buffer overflow.
  • Monitor for HTTP GET requests targeting 'default.ida' or any '.ida'/'.idq' file with a long argument, as these are the specific file types exploited by Code Red and related attacks.
  • Detect Code Red infection by looking for HTTP responses or web page content containing the defacement string 'Hacked by Chinese!' which is the worm's payload.
  • Monitor for unusual HTTP traffic spikes on port 80 with GET requests, indicative of Code Red's scanning and propagation behavior targeting vulnerable IIS servers.
  • The exploit payload bad characters are null byte, colon, ampersand, question mark, percent, hash, space, CR, LF, forward slash, plus, vertical tab, and backslash — use these to tune IDS signatures.
  • The exploit uses a 'Shell:' HTTP header to deliver the second-stage shellcode buffer; detect HTTP requests containing a non-standard 'Shell:' header as a high-fidelity indicator.
  • ·idq.dll is installed by default when IIS is installed, regardless of whether Index Server or Indexing Service is actively running — the attack surface exists even if the indexing service is disabled.
  • ·The Metasploit module targets only Windows 2000 Pro English SP0 and SP1-SP2 with specific hardcoded return addresses; other platform variants require different return addresses.
  • ·All products running affected versions of IIS are vulnerable, not just those with Index Server or Indexing Service explicitly configured.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.