@stake, Inc. www.atstake.com Security Advisory Advisory Name: IIS 4.0/5.0 Phone Book server buffer overrun Release Date: 12/04/2000 Application: Microsoft's Phone Book Server on IIS 4.0, 5.0 Platform: Windows NT 4.0, Windows 2000 Severity: A buffer overflow conditions exists in pbserver.dll that can allow the remote execution of code or a denial of service. Author: David Litchfield [dlitchfield@atstake.com] Vendor Status: Fixed version of software available Full Text: www.atstake.com/research/advisories/2000/a120400-1.txt CVE: CAN-2000-1089 Overview: The Phone Book Service was created by Microsoft to help provide dial in services to the corporation and ISPs. As part of the functionality of the service when users dial in their client software can be configured to download phone book updates from a web server. The ISAPI application that serves the update is pbserver.dll. This DLL contains a buffer overrun vulnerability that can allow the execution of arbitrary code or at best crash the Interner Information Server process, inetinfo.exe. Detailed Description: The overflow occurs when the PB parameter of the query string is overly long. By filling this parameter with uppercase 'A's the inetinfo process crashes. A quick look at the code at this point shows: cmp dword ptr[esi+4],ebp jne 69A2196C mov eax, dword ptr [esi] push eax mov ecx, dword ptr [eax] call dword ptr[ecx+1Ch] The ESI register has been filled with the user supplied AAAAs. By setting ESI to somewhere in memory which can read avoids the crash, here, however looking on down the code you see that if the esi is set to an address that contains a pointer to the user supplied buffer then it will be called eventually - in a round about way. Dpoing this then, the ESI is set to 0x5E9351E4 - this address has a pointer back to the user supplied buffer - which floats around the 0x0027**** area. This 0x0027**** address is then moved into the EAX register. If the value at address 0x0027**** is set to 0x5e93554c what happens is when what the EAX points to is moved into the ECX and ECX+1Ch is called it lands a couple of bytes above the user supplied buffer. There are a couple of bytes of mess to ride through, a few fields of nulls and other bits and bobs here and there but the whole code in the buffer is eventually executed. As proof of concept the following code will spawn a shell, perform a directory listing and pipe the output to a file called psrvorun.txt, created in the winnt\system32 directory. You can test for the existance of the overrun on NT 4.0 SP 6a using this program. It has only been tested to work when the target system is SP 6a. Proof of concept code: http://www.atstake.com/research/advisories/2000/pbserver-poc.c Vendor Response: Microsoft has released a bulletin on this issue: http://www.microsoft.com/technet/security/bulletin/ms00-094.asp Microsoft has release patches for this issue: Microsoft Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193 Microsoft Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531 Solution: If you do not need the Phone Book Service you should remove pbserver.dll. Users of the Phone Book Service should download and install the patch provided by Microsoft. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2000-1089 Additional Information: This vulnerability was also discovered and reported independently by CORE SDI. Advisory policy: http://www.atstake.com/research/policy/ For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved.