[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability Report For Microsoft PhoneBook Server overflow

Title: Vulnerability Report For Microsoft PhoneBook Server overflow
Released by: CORE SDI
Date: 4th December 2000
Printable version: Click here
                                              CORE SDI


          Vulnerability Report For Microsoft PhoneBook Server overflow

Date Published: December 4th, 2000

Advisory ID: CORE-20001204

Bugtraq ID: 2048

CVE CAN: None currently assigned.

Title: Microsoft PhoneBook Server buffer overflow

Class: Boundary condition error

Remotely Exploitable: Yes

Locally Exploitable: Yes


Vulnerability Description:

 The Phone Book Service is an optional component that ships

 with the NT 4 Option Pack and Windows 2000.

 It is not installed by default.

 A buffer overflow vulnerability was discovered in the URL processing

 routines of the Phone Book Service requests on IIS 4 and IIS 5.

 If exploited, this vulnerability allows an attacker to execute arbitrary

 code and obtain a remote command shell with those privileges of the

 IUSR_machinename account (IIS 4) or the IWAM_machinename

 account (IIS 5).

Vulnerable Packages/Systems:

  Microsoft Windows NT 4.0

  Microsoft Windows NT 4.0 Enterprise Server Edition

  Microsoft Windows 2000 Server

  Microsoft Windows 2000 Advanced Server

Solution/Vendor Information/Workaround:

  Microsoft has released a fix that eliminates the vulnerability.

  It can be obtained from:

   Microsoft Windows NT 4.0:


  Microsoft Windows 2000:


  NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service

  Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The

  Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1.

  This fix will be included in Windows 2000 Service Pack 2.

   Note Additional security patches are available at the Microsoft

  Download Center.

  More Information

   Frequently Asked Questions: Microsoft Security Bulletin MS00-094,


   Microsoft Knowledge Base article Q276575 discusses this issue

   and will be available soon.

  Microsoft TechNet Security web site,


 Vendor notified on: September 27th, 2000


  This vulnerability was discovered by Alberto Solino of CORE SDI,

  Buenos Aires, Argentina.

  Other CORE SDI advisories can be obtained from:


  It was also discovered and reported independently at the same time

  by David Litchfield from @Stake Inc.

  We would like to thank the Microsoft Security Response Team for their

  quick acknowledge to the report and the prompt response and efforts

  generating a fix.

  This advisory was drafted with the help of the SecurityFocus.com

  Vulnerability Help Team. For more information or assistance drafting

  advisories please mail vulnhelp@securityfocus.com.

Technical Description - Exploit/Concept Code:

 The Phone Book server services requests using the Internet Information

  Services 5.0 with URIs such as http://hostname/pbserver/

 According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported

 and  the services can be used making requests with the following format:



NOTE: The above URL might be wrapped

 In the DLL checks the total length to ensure that request does not exceed

1024 bytes, however it is possible to overflow a local variable of fixed


 in the DLL by sending a request with the following form:

 GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars)


The result is an exception reported in the Event log with source WAM like

 the following:

 The HTTP server encountered an unhandled exception while processing the

 ISAPI Application '

 + 0x41414143

 + 0x41414139

 pbserver!HttpExtensionProc + 0x1C

 wam!DllGetClassObject + 0x808

 RPCRT4!NdrServerInitialize + 0x4DB

 RPCRT4!NdrStubCall2 + 0x586

 RPCRT4!CStdStubBuffer_Invoke + 0xC1

 ole32!StgGetIFillLockBytesOnFile + 0x116EC

 ole32!StgGetIFillLockBytesOnFile + 0x12415

 ole32!DcomChannelSetHResult + 0xDF0

 ole32!DcomChannelSetHResult + 0xD35

 ole32!StgGetIFillLockBytesOnFile + 0x122AD

 ole32!StgGetIFillLockBytesOnFile + 0x1210A

 ole32!StgGetIFillLockBytesOnFile + 0x11E22

 RPCRT4!NdrServerInitialize + 0x745

 RPCRT4!NdrServerInitialize + 0x652

 RPCRT4!NdrServerInitialize + 0x578

 RPCRT4!RpcSmDestroyClientContext + 0x9E

 RPCRT4!NdrConformantArrayFree + 0x8A5

 RPCRT4!NdrConformantArrayFree + 0x3FC

 RPCRT4!RpcBindingSetOption + 0x395

 RPCRT4!RpcBindingSetOption + 0x18E

 RPCRT4!RpcBindingSetOption + 0x4F8

 KERNEL32!CreateFileA + 0x11B


  For additional information specific to this message please visit the

  Microsoft Online Support site located at:


 By sending a carefully crafted HTTP request an attacker can bypass the

 total length check and overflow a local variable in PBSERVER.DLL allowing

 the execution of arbitrary code with the privileges of the IUSR_machinename

 account (IIS 4) or the IWAM_machinename account (IIS 5)  on the vulnerable


Copyright notice

 The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may

 be distributed freely provided that no fee is charged for this distribution

 and proper credit is given.

$Id: PhonebookServer-advisory.txt,v 1.6 2000/12/05 00:56:47 iarce Exp $


"Understanding. A cerebral secretion that enables one having it to know

 a house from a horse by the roof on the house,

 Its nature and laws have been exhaustively expounded by Locke,

 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========

Iván Arce


PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

email   : iarce@core-sdi.com


Florida 141 2do cuerpo Piso 7

C1005AAG Buenos Aires, Argentina.

Tel/Fax : +(54-11) 4331-5402


--- For a personal reply use iarce@core-sdi.com

(C) 1999-2000 All rights reserved.