||Home : Advisories : Vulnerability Report For Microsoft PhoneBook Server overflow|
||Vulnerability Report For Microsoft PhoneBook Server overflow
||4th December 2000
Vulnerability Report For Microsoft PhoneBook Server overflow
Date Published: December 4th, 2000
Advisory ID: CORE-20001204
Bugtraq ID: 2048
CVE CAN: None currently assigned.
Title: Microsoft PhoneBook Server buffer overflow
Class: Boundary condition error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Mode: COORDINATED RELEASE
The Phone Book Service is an optional component that ships
with the NT 4 Option Pack and Windows 2000.
It is not installed by default.
A buffer overflow vulnerability was discovered in the URL processing
routines of the Phone Book Service requests on IIS 4 and IIS 5.
If exploited, this vulnerability allows an attacker to execute arbitrary
code and obtain a remote command shell with those privileges of the
IUSR_machinename account (IIS 4) or the IWAM_machinename
account (IIS 5).
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Enterprise Server Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft has released a fix that eliminates the vulnerability.
It can be obtained from:
Microsoft Windows NT 4.0:
Microsoft Windows 2000:
NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service
Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The
Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1.
This fix will be included in Windows 2000 Service Pack 2.
Note Additional security patches are available at the Microsoft
Frequently Asked Questions: Microsoft Security Bulletin MS00-094,
Microsoft Knowledge Base article Q276575 discusses this issue
and will be available soon.
Microsoft TechNet Security web site,
Vendor notified on: September 27th, 2000
This vulnerability was discovered by Alberto Solino of CORE SDI,
Buenos Aires, Argentina.
Other CORE SDI advisories can be obtained from:
It was also discovered and reported independently at the same time
by David Litchfield from @Stake Inc.
We would like to thank the Microsoft Security Response Team for their
quick acknowledge to the report and the prompt response and efforts
generating a fix.
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail firstname.lastname@example.org.
Technical Description - Exploit/Concept Code:
The Phone Book server services requests using the Internet Information
Services 5.0 with URIs such as http://hostname/pbserver/
According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported
and the services can be used making requests with the following format:
NOTE: The above URL might be wrapped
In the DLL checks the total length to ensure that request does not exceed
1024 bytes, however it is possible to overflow a local variable of fixed
in the DLL by sending a request with the following form:
GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars)
The result is an exception reported in the Event log with source WAM like
The HTTP server encountered an unhandled exception while processing the
ISAPI Application '
pbserver!HttpExtensionProc + 0x1C
wam!DllGetClassObject + 0x808
RPCRT4!NdrServerInitialize + 0x4DB
RPCRT4!NdrStubCall2 + 0x586
RPCRT4!CStdStubBuffer_Invoke + 0xC1
ole32!StgGetIFillLockBytesOnFile + 0x116EC
ole32!StgGetIFillLockBytesOnFile + 0x12415
ole32!DcomChannelSetHResult + 0xDF0
ole32!DcomChannelSetHResult + 0xD35
ole32!StgGetIFillLockBytesOnFile + 0x122AD
ole32!StgGetIFillLockBytesOnFile + 0x1210A
ole32!StgGetIFillLockBytesOnFile + 0x11E22
RPCRT4!NdrServerInitialize + 0x745
RPCRT4!NdrServerInitialize + 0x652
RPCRT4!NdrServerInitialize + 0x578
RPCRT4!RpcSmDestroyClientContext + 0x9E
RPCRT4!NdrConformantArrayFree + 0x8A5
RPCRT4!NdrConformantArrayFree + 0x3FC
RPCRT4!RpcBindingSetOption + 0x395
RPCRT4!RpcBindingSetOption + 0x18E
RPCRT4!RpcBindingSetOption + 0x4F8
KERNEL32!CreateFileA + 0x11B
For additional information specific to this message please visit the
Microsoft Online Support site located at:
By sending a carefully crafted HTTP request an attacker can bypass the
total length check and overflow a local variable in PBSERVER.DLL allowing
the execution of arbitrary code with the privileges of the IUSR_machinename
account (IIS 4) or the IWAM_machinename account (IIS 5) on the vulnerable
The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may
be distributed freely provided that no fee is charged for this distribution
and proper credit is given.
$Id: PhonebookServer-advisory.txt,v 1.6 2000/12/05 00:56:47 iarce Exp $
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
Its nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : email@example.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
--- For a personal reply use firstname.lastname@example.org