Bugtraq mailing list archives
[CORE SDI ADVISORY] MS Windows NT4 and Windows 2000 PhoneBook Service overflow
From: Iván Arce <core.lists.bugtraq () CORE-SDI COM>
Date: Mon, 4 Dec 2000 21:59:46 -0300
CORE SDI http://www.core-sdi.com Vulnerability Report For Microsoft PhoneBook Server overflow Date Published: December 4th, 2000 Advisory ID: CORE-20001204 Bugtraq ID: 2048 CVE CAN: None currently assigned. Title: Microsoft PhoneBook Server buffer overflow Class: Boundary condition error Remotely Exploitable: Yes Locally Exploitable: Yes Release Mode: COORDINATED RELEASE Vulnerability Description: The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default. A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). Vulnerable Packages/Systems: Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Enterprise Server Edition Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server Solution/Vendor Information/Workaround: Microsoft has released a fix that eliminates the vulnerability. It can be obtained from: Microsoft Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193 Microsoft Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531 NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1. This fix will be included in Windows 2000 Service Pack 2. Note Additional security patches are available at the Microsoft Download Center. More Information Frequently Asked Questions: Microsoft Security Bulletin MS00-094, http://www.microsoft.com/technet/security/bulletin/fq00-094.asp Microsoft Knowledge Base article Q276575 discusses this issue and will be available soon. Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp Vendor notified on: September 27th, 2000 Credits: This vulnerability was discovered by Alberto Solino of CORE SDI, Buenos Aires, Argentina. Other CORE SDI advisories can be obtained from: http://www.core-sdi.com/publications.html It was also discovered and reported independently at the same time by David Litchfield from @Stake Inc. We would like to thank the Microsoft Security Response Team for their quick acknowledge to the report and the prompt response and efforts generating a fix. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp () securityfocus com. Technical Description - Exploit/Concept Code: The Phone Book server services requests using the Internet Information Services 5.0 with URIs such as http://hostname/pbserver/ According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported and the services can be used making requests with the following format: http://hostname/pbserver/pbserver.dll?osarch=&ostype=&osver=&cmver=&lcid=&pb ver=&pb=<STRING=db name> NOTE: The above URL might be wrapped In the DLL checks the total length to ensure that request does not exceed 1024 bytes, however it is possible to overflow a local variable of fixed length in the DLL by sending a request with the following form: GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars) HTTP/1.0\n\n The result is an exception reported in the Event log with source WAM like the following: The HTTP server encountered an unhandled exception while processing the ISAPI Application ' + 0x41414143 + 0x41414139 pbserver!HttpExtensionProc + 0x1C wam!DllGetClassObject + 0x808 RPCRT4!NdrServerInitialize + 0x4DB RPCRT4!NdrStubCall2 + 0x586 RPCRT4!CStdStubBuffer_Invoke + 0xC1 ole32!StgGetIFillLockBytesOnFile + 0x116EC ole32!StgGetIFillLockBytesOnFile + 0x12415 ole32!DcomChannelSetHResult + 0xDF0 ole32!DcomChannelSetHResult + 0xD35 ole32!StgGetIFillLockBytesOnFile + 0x122AD ole32!StgGetIFillLockBytesOnFile + 0x1210A ole32!StgGetIFillLockBytesOnFile + 0x11E22 RPCRT4!NdrServerInitialize + 0x745 RPCRT4!NdrServerInitialize + 0x652 RPCRT4!NdrServerInitialize + 0x578 RPCRT4!RpcSmDestroyClientContext + 0x9E RPCRT4!NdrConformantArrayFree + 0x8A5 RPCRT4!NdrConformantArrayFree + 0x3FC RPCRT4!RpcBindingSetOption + 0x395 RPCRT4!RpcBindingSetOption + 0x18E RPCRT4!RpcBindingSetOption + 0x4F8 KERNEL32!CreateFileA + 0x11B '. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. By sending a carefully crafted HTTP request an attacker can bypass the total length check and overflow a local variable in PBSERVER.DLL allowing the execution of arbitrary code with the privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5) on the vulnerable systems. Copyright notice The contents of this advisory are copyright (c) 2000 CORE SDI Inc. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. $Id: PhonebookServer-advisory.txt,v 1.6 2000/12/05 00:56:47 iarce Exp $ --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce () core-sdi com http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAG Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- [CORE SDI ADVISORY] MS Windows NT4 and Windows 2000 PhoneBook Service overflow Iván Arce (Dec 06)