CVE-2001-0500
published 2001-07-21CVE-2001-0500: Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
96.73%
99.9th percentile
Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | index_server | — | — |
| microsoft | internet_information_server | <= 6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0
- →Detect exploit attempts by monitoring HTTP GET requests to URIs containing '.idq?' or '.ida?' with abnormally long query strings (>232 bytes), characteristic of the CVE-2001-0500 buffer overflow. ↗
- →Monitor for HTTP GET requests targeting 'default.ida' or any '.ida'/'.idq' file with a long argument, as these are the specific file types exploited by Code Red and related attacks. ↗
- →Detect Code Red infection by looking for HTTP responses or web page content containing the defacement string 'Hacked by Chinese!' which is the worm's payload. ↗
- →Monitor for unusual HTTP traffic spikes on port 80 with GET requests, indicative of Code Red's scanning and propagation behavior targeting vulnerable IIS servers. ↗
- →The exploit payload bad characters are null byte, colon, ampersand, question mark, percent, hash, space, CR, LF, forward slash, plus, vertical tab, and backslash — use these to tune IDS signatures. ↗
- →The exploit uses a 'Shell:' HTTP header to deliver the second-stage shellcode buffer; detect HTTP requests containing a non-standard 'Shell:' header as a high-fidelity indicator. ↗
- ·idq.dll is installed by default when IIS is installed, regardless of whether Index Server or Indexing Service is actively running — the attack surface exists even if the indexing service is disabled. ↗
- ·The Metasploit module targets only Windows 2000 Pro English SP0 and SP1-SP2 with specific hardcoded return addresses; other platform variants require different return addresses. ↗
- ·All products running affected versions of IIS are vulnerable, not just those with Index Server or Indexing Service explicitly configured. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gcxg-pq25-8wh2: Buffer overflow in ISAPI extension (idq
ghsa_unreviewed·2022-04-30
CVE-2001-0500 [HIGH] GHSA-gcxg-pq25-8wh2: Buffer overflow in ISAPI extension (idq
Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.
VulnCheck
Microsoft index_server Out-of-bounds Write
vulncheck·2001·CVSS 10.0
CVE-2001-0500 [CRITICAL] Microsoft index_server Out-of-bounds Write
Microsoft index_server Out-of-bounds Write
Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red.
Affected: Microsoft index_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.kaspersky.com/about/press-releases/a-new-generation-of--fileless-network-worm-has-unleashed-global-chaos; https://www.cnn.com/2001/TECH/internet/09/04/fbi.ignore.idg/index.html; https://viz.greynoise.io
No detection rules found.
Exploit-DB
Microsoft IIS 5.0 - IDQ Path Overflow (MS01-033) (Metasploit)
exploitdb·2010-06-15
CVE-2001-0500 Microsoft IIS 5.0 - IDQ Path Overflow (MS01-033) (Metasploit)
Microsoft IIS 5.0 - IDQ Path Overflow (MS01-033) (Metasploit)
---
##
# $Id: ms01_033_idq.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS 5.0 IDQ Path Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the IDQ ISAPI handler for
Microsoft Index Server.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9525 $',
'References' =>
[
[ 'CVE', '2001-0500'],
[ 'OSVDB', '568'],
[ 'MSB', 'MS01-033'],
[ 'BID', '2880'],
],
'DefaultOptions' =>
{
'EXIT
Exploit-DB
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (2)
exploitdb·2001-06-21
CVE-2001-0500 Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (2)
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (2)
---
/*
source: https://www.securityfocus.com/bid/2880/info
Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.
Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.
Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products
Exploit-DB
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (4)
exploitdb·2001-06-18
CVE-2001-0500 Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (4)
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (4)
---
# source: https://www.securityfocus.com/bid/2880/info
#
# Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.
#
# Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.
#
# Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all
Exploit-DB
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (PoC)
exploitdb·2001-06-18
CVE-2001-0500 Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (PoC)
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (PoC)
---
// source: https://www.securityfocus.com/bid/2880/info
Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.
Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.
Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all produc
Exploit-DB
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (3)
exploitdb·2001-06-18
CVE-2001-0500 Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (3)
Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (3)
---
# source: https://www.securityfocus.com/bid/2880/info
#
# Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.
#
# Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.
#
# Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all
Metasploit
MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
metasploit
MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
This module exploits a stack buffer overflow in the IDQ ISAPI handler for Microsoft Index Server.
Greynoiseio
NoiseLetter August 2025
blogs_greynoiseio
NoiseLetter August 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Huntress
Code Red Malware: Analysis, Detection, Removal | Huntress
blogs_huntress·CVSS 10.0
[CRITICAL] Code Red Malware: Analysis, Detection, Removal | Huntress
## Code Red Malware: Full Overview
Published: 1/20/2026
Written by: Lizzie Danielson
Learn what Code Red malware is, how it spreads, and how to detect and remove it before it impacts your systems.
## What is Code Red malware?
The Code Red malware is a self-propagating worm designed to exploit software vulnerabilities, particularly targeting Microsoft IIS servers. Also referred to simply as "Code Red," it gained notoriety for its ability to spread rapidly and disrupt web services. Its primary purpose was website defacement, with a specific payload that displayed "Hacked by Chinese!" on affected websites, and initiating DoS attacks. The threat level of Code Red was considered high due to its rapid spread and system-wide impact.
## When was Code Red first discovered?
Code Red was first
arXiv
Encoding a Taxonomy of Web Attacks with Different-Length Vectors
arxiv_fulltext·2002-10-29
Encoding a Taxonomy of Web Attacks with Different-Length Vectors
## Abstract
Web attacks, i.e. attacks exclusively using the HTTP protocol, are
rapidly becoming one of the fundamental threats for information
systems connected to the Internet. When the attacks suffered by
web servers through the years are analyzed, it is observed that
most of them are very similar, using a reduced number of attacking
techniques. It is generally agreed that classification can help
designers and programmers to better understand attacks and build
more secure applications. As an effort in this direction, a new
taxonomy of web attacks is proposed in this paper, with the
objective of obtaining a practically useful reference framework
for security applications. The use of the taxonomy is illustrated
by means of multiplatform real world web attack examples. Along
with this taxo
Bugzilla
CVE-2005-2933 imap buffer overflow
bugzilla·2006-03-05·CVSS 7.5
CVE-2005-2933 [HIGH] CVE-2005-2933 imap buffer overflow
CVE-2005-2933 imap buffer overflow
Remote exploitation of a buffer overflow vulnerability in the University
of Washington's IMAP Server (UW-IMAP) allows attackers to execute
arbitrary code. (quote from iDefense advisory, see
http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=313)
All versions of imap < imap-2004g are affected. This includes RHL 7.3, RHL 9,
and probably most FC versions.
RH used the following patch to fix the issue in RHEL 2.1:
--snip--
Fix for CAN-2005-2933, from iDefense's advisory.
diff -uNr imap-2001a/src/c-client/mail.c imap-2004g/src/c-client/mail.c
--- imap-2001a/src/c-client/mail.c 2001-11-13 14:29:07.000000000 -0500
+++ imap-2004g/src/c-client/mail.c 2005-09-15 12:57:07.000000000 -0400
@@ -587,8 +587,10 @@
if (c == '=') { /
http://www.cert.org/advisories/CA-2001-13.htmlhttp://www.ciac.org/ciac/bulletins/l-098.shtmlhttp://www.iss.net/security_center/static/6705.phphttp://www.securityfocus.com/archive/1/191873http://www.securityfocus.com/bid/2880https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-033https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A197http://www.cert.org/advisories/CA-2001-13.htmlhttp://www.ciac.org/ciac/bulletins/l-098.shtmlhttp://www.iss.net/security_center/static/6705.phphttp://www.securityfocus.com/archive/1/191873http://www.securityfocus.com/bid/2880https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-033https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A197
2001-07-21
Published
Exploited in the wild