exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 00-12-04.1

Atstake Security Advisory 00-12-04.1
Posted Dec 6, 2000
Authored by Atstake | Site atstake.com

Atstake Security Advisory A120400-1 - IIS 4.0/5.0 Phone Book server buffer overrun vulnerability. The Phone Book Service was created by Microsoft to help provide dial in services to the corporation and ISPs. As part of the functionality of the service when users dial in their client software can be configured to download phone book updates from a web server. The ISAPI application that serves the update is pbserver.dll. This DLL contains a buffer overrun vulnerability that can allow the execution of arbitrary code or at best crash the Internet Information Server process, inetinfo.exe.

tags | web, overflow, arbitrary
SHA-256 | 7822463a0e0c98a33b81e6be0d33e5d289f446c0bcfff7a90e516e33823ba258

Atstake Security Advisory 00-12-04.1

Change Mirror Download

@stake, Inc.
www.atstake.com

Security Advisory


Advisory Name: IIS 4.0/5.0 Phone Book server buffer overrun
Release Date: 12/04/2000
Application: Microsoft's Phone Book Server on IIS 4.0, 5.0
Platform: Windows NT 4.0, Windows 2000
Severity: A buffer overflow conditions exists in
pbserver.dll that can allow the remote execution of
code or a denial of service.
Author: David Litchfield [dlitchfield@atstake.com]
Vendor Status: Fixed version of software available
Full Text: www.atstake.com/research/advisories/2000/a120400-1.txt
CVE: CAN-2000-1089


Overview:

The Phone Book Service was created by Microsoft to help provide
dial in services to the corporation and ISPs. As part of the functionality
of the service when users dial in their client software can be configured
to download phone book updates from a web server. The ISAPI application
that serves the update is pbserver.dll. This DLL contains a buffer overrun
vulnerability that can allow the execution of arbitrary code or at best
crash the Interner Information Server process, inetinfo.exe.


Detailed Description:

The overflow occurs when the PB parameter of the query string is
overly long. By filling this parameter with uppercase 'A's the inetinfo
process crashes. A quick look at the code at this point shows:


cmp dword ptr[esi+4],ebp
jne 69A2196C
mov eax, dword ptr [esi]
push eax
mov ecx, dword ptr [eax]
call dword ptr[ecx+1Ch]


The ESI register has been filled with the user supplied AAAAs. By setting
ESI to somewhere in memory which can read avoids the crash, here, however
looking on down the code you see that if the esi is set to an address that
contains a pointer to the user supplied buffer then it will be called
eventually - in a round about way. Dpoing this then, the ESI is set to
0x5E9351E4 - this address has a pointer back to the user supplied buffer -
which floats around the 0x0027**** area. This 0x0027**** address is then
moved into the EAX register. If the value at address 0x0027**** is set to
0x5e93554c what happens is when what the EAX points to is moved into the
ECX and ECX+1Ch is called it lands a couple of bytes above the user
supplied buffer. There are a couple of bytes of mess to ride through, a
few fields of nulls and other bits and bobs here and there but the whole
code in the buffer is eventually executed.


As proof of concept the following code will spawn a shell, perform a
directory listing and pipe the output to a file called psrvorun.txt,
created in the winnt\system32 directory. You can test for the existance
of the overrun on NT 4.0 SP 6a using this program. It has only been
tested to work when the target system is SP 6a.


Proof of concept code:

http://www.atstake.com/research/advisories/2000/pbserver-poc.c


Vendor Response:

Microsoft has released a bulletin on this issue:
http://www.microsoft.com/technet/security/bulletin/ms00-094.asp

Microsoft has release patches for this issue:
Microsoft Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193

Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531



Solution:

If you do not need the Phone Book Service you should remove pbserver.dll.
Users of the Phone Book Service should download and install the patch
provided by Microsoft.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2000-1089


Additional Information:

This vulnerability was also discovered and reported independently by
CORE SDI.


Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close