Vulnerability found in Microsoft PhoneBook Server (Patch available)
5 Dec. 2000
Summary
The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default.
A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5).
Credit:
The information has been provided by Alberto Solino of CORE SDI, Iv?n Arce and David Litchfield from at Stake Inc.
Vulnerable Packages/Systems:
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Enterprise Server Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Solution:
Microsoft has released a fix that eliminates the vulnerability. It can be obtained from:
NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1. This fix will be included in Windows 2000 Service Pack 2.
Technical details:
The Phone Book server services requests using the Internet Information Services 5.0 with URIs such as http://hostname/pbserver/
According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported and the services can be used making requests with the following format:
In the DLL checks the total length to ensure that request does not exceed 1024 bytes, however it is possible to overflow a local variable of fixed length in the DLL by sending a request with the following form:
GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (Less than 980 chars)
HTTP/1.0\n\n
The result is an exception reported in the Event log with source WAM like the following:
The HTTP server encountered an unhandled exception while processing the ISAPI Application '
+ 0x41414143
+ 0x41414139
pbserver!HttpExtensionProc + 0x1C
wam!DllGetClassObject + 0x808
RPCRT4!NdrServerInitialize + 0x4DB
RPCRT4!NdrStubCall2 + 0x586
RPCRT4!CStdStubBuffer_Invoke + 0xC1
ole32!StgGetIFillLockBytesOnFile + 0x116EC
ole32!StgGetIFillLockBytesOnFile + 0x12415
ole32!DcomChannelSetHResult + 0xDF0
ole32!DcomChannelSetHResult + 0xD35
ole32!StgGetIFillLockBytesOnFile + 0x122AD
ole32!StgGetIFillLockBytesOnFile + 0x1210A
ole32!StgGetIFillLockBytesOnFile + 0x11E22
RPCRT4!NdrServerInitialize + 0x745
RPCRT4!NdrServerInitialize + 0x652
RPCRT4!NdrServerInitialize + 0x578
RPCRT4!RpcSmDestroyClientContext + 0x9E
RPCRT4!NdrConformantArrayFree + 0x8A5
RPCRT4!NdrConformantArrayFree + 0x3FC
RPCRT4!RpcBindingSetOption + 0x395
RPCRT4!RpcBindingSetOption + 0x18E
RPCRT4!RpcBindingSetOption + 0x4F8
KERNEL32!CreateFileA + 0x11B
'.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
By sending a carefully crafted HTTP request an attacker can bypass the total length check and overflow a local variable in PBSERVER.DLL allowing the execution of arbitrary code with the privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5) on the vulnerable systems.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. It could enable a malicious user to cause code of his choice to execute on a web server running a particular optional service. This would potentially enable a malicious user to execute any code that a user logged into the server interactively could run. This would give him the ability to install and run code, add, change or delete files or web pages, or take other actions.
This vulnerability relies upon the existence of the Phone Book Service on the web server. Users who have not specifically installed Phone Book Services on their web server are not at risk from this vulnerability.
What causes the vulnerability?
The vulnerability results because the Phone Book Service has an unchecked buffer in a portion of the code that processes requests for phone book updates. If provided with a particular type of malformed request, it would be possible to overrun the buffer.
What is Phone Book Service?
The Phone Book Service enables remote users to get an up-to-date listing of dial-in phone numbers. To understand how it would be used, let's consider a typical scenario.
Suppose BigCorp needs to allow its employees to dial into the network when they're working from home or traveling. The IT department would probably set up either a RAS (Remote Access Service) or a PPTP (Point-to-Point Tunneling Protocol) server for them to dial into. However, the employees would need a way to find the right dial-in numbers and to set up the connection to the network. The IT department might deploy Connection Manager to make this easy. Connection Manager is an application that enables users to select a dial-in number from a pre-programmed list and make a dial-up connection easily.
The problem is how to keep Connection Manager's list of phone numbers current. That's where the Phone Book Service comes in. The Phone Book Service runs on an IIS server, and provides information about dial-up numbers. Usually, Connection Manager calls it behind the scenes during each dial-in connection; however, it also can be called directly by a user, using a normal HTTP request.
What's wrong with Phone Book Server?
The Phone Book Service has an unchecked buffer in a part of the code that handles requests. If a malicious user sent a specially malformed HTTP request for a phone book update , it could either cause the Phone Book Service to crash, or cause code of her choice to be executed on the server.
What would this enable the malicious user to do?
By sending a malformed HTTP request to an affected server, a malicious user could cause either of two effects:
* If she overran the buffer with random data, she could cause the Phone Book Service on the affected machine to fail.
* If she overran the buffer with specially chosen data, it would be possible to cause code of her choice to run on the server.
If this vulnerability were used to make the Phone Book Service fail, what would be required to put it back into service?
The operator would need to restart the service. It would not be necessary to reboot the server.
If the vulnerability were exploited to cause code to run, what could the code do?
It would depend on exactly how the IIS server was configured. By default, Phone Book Server runs on IIS 4.0 in the security context of the IUSR_machinename account; on IIS 5.0, it runs by default in the context of the IWAM_machinename account.
What would this allow the code to do?
Neither IUSR_machinename nor IWAM_machinename are highly privileged accounts. In fact, they're the accounts under which anonymous connections to a web server are made. Gaining the ability to run code under these accounts would not give the malicious user administrative control over the server. However, both accounts are members of the Everyone group, and this would enable them to add, change or delete data on the system, run any programs that are already on the machine, or upload new software to it and run them.
Are affected machines usually connected to the Internet?
The Phone Book Service must be installed on an IIS server. This IIS server may be accessible via the Internet, however, best practices suggest that the Phone Book Service be installed on an IIS server that is only reachable via the RAS or PPTP server to which the remote user is connecting.
Is Phone Book Server installed by default?
No. It must be installed by the administrator. On IIS 4.0 systems, it's can be loaded as part of the Internet Connection Services for Microsoft RAS that ships with the NT 4 Option Pack. On IIS 5.0 systems, it can be loaded as part of the Optional Networking Components, via the Add/Remove Programs applet. The important point to remember is that, although Phone Book Server only runs on IIS servers, it only does so if it's specifically been installed. If Phone Book Server has not been installed on a machine, it isn't vulnerable to this issue.
Who should use the patch?
Microsoft recommends that users who have installed the Phone Book Service on their IIS servers consider installing the patch.
What does the patch do?
Microsoft recommends that users who have installed the Phone Book Service on their IIS servers consider installing the patch.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How do I use the patch?
Knowledge Base article Q276575 contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article Q276575 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
