exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 00-12-04.1

Atstake Security Advisory 00-12-04.1
Posted Dec 6, 2000
Authored by Atstake | Site atstake.com

Atstake Security Advisory A120400-1 - IIS 4.0/5.0 Phone Book server buffer overrun vulnerability. The Phone Book Service was created by Microsoft to help provide dial in services to the corporation and ISPs. As part of the functionality of the service when users dial in their client software can be configured to download phone book updates from a web server. The ISAPI application that serves the update is pbserver.dll. This DLL contains a buffer overrun vulnerability that can allow the execution of arbitrary code or at best crash the Internet Information Server process, inetinfo.exe.

tags | web, overflow, arbitrary
SHA-256 | 7822463a0e0c98a33b81e6be0d33e5d289f446c0bcfff7a90e516e33823ba258

Atstake Security Advisory 00-12-04.1

Change Mirror Download

@stake, Inc.
www.atstake.com

Security Advisory


Advisory Name: IIS 4.0/5.0 Phone Book server buffer overrun
Release Date: 12/04/2000
Application: Microsoft's Phone Book Server on IIS 4.0, 5.0
Platform: Windows NT 4.0, Windows 2000
Severity: A buffer overflow conditions exists in
pbserver.dll that can allow the remote execution of
code or a denial of service.
Author: David Litchfield [dlitchfield@atstake.com]
Vendor Status: Fixed version of software available
Full Text: www.atstake.com/research/advisories/2000/a120400-1.txt
CVE: CAN-2000-1089


Overview:

The Phone Book Service was created by Microsoft to help provide
dial in services to the corporation and ISPs. As part of the functionality
of the service when users dial in their client software can be configured
to download phone book updates from a web server. The ISAPI application
that serves the update is pbserver.dll. This DLL contains a buffer overrun
vulnerability that can allow the execution of arbitrary code or at best
crash the Interner Information Server process, inetinfo.exe.


Detailed Description:

The overflow occurs when the PB parameter of the query string is
overly long. By filling this parameter with uppercase 'A's the inetinfo
process crashes. A quick look at the code at this point shows:


cmp dword ptr[esi+4],ebp
jne 69A2196C
mov eax, dword ptr [esi]
push eax
mov ecx, dword ptr [eax]
call dword ptr[ecx+1Ch]


The ESI register has been filled with the user supplied AAAAs. By setting
ESI to somewhere in memory which can read avoids the crash, here, however
looking on down the code you see that if the esi is set to an address that
contains a pointer to the user supplied buffer then it will be called
eventually - in a round about way. Dpoing this then, the ESI is set to
0x5E9351E4 - this address has a pointer back to the user supplied buffer -
which floats around the 0x0027**** area. This 0x0027**** address is then
moved into the EAX register. If the value at address 0x0027**** is set to
0x5e93554c what happens is when what the EAX points to is moved into the
ECX and ECX+1Ch is called it lands a couple of bytes above the user
supplied buffer. There are a couple of bytes of mess to ride through, a
few fields of nulls and other bits and bobs here and there but the whole
code in the buffer is eventually executed.


As proof of concept the following code will spawn a shell, perform a
directory listing and pipe the output to a file called psrvorun.txt,
created in the winnt\system32 directory. You can test for the existance
of the overrun on NT 4.0 SP 6a using this program. It has only been
tested to work when the target system is SP 6a.


Proof of concept code:

http://www.atstake.com/research/advisories/2000/pbserver-poc.c


Vendor Response:

Microsoft has released a bulletin on this issue:
http://www.microsoft.com/technet/security/bulletin/ms00-094.asp

Microsoft has release patches for this issue:
Microsoft Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193

Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531



Solution:

If you do not need the Phone Book Service you should remove pbserver.dll.
Users of the Phone Book Service should download and install the patch
provided by Microsoft.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2000-1089


Additional Information:

This vulnerability was also discovered and reported independently by
CORE SDI.


Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close