Signature Detail

HTTP: Microsoft Phone Book Service Buffer Overflow

This signature detects attempts to exploit a known vulnerability in the Microsoft Internet Information Services (IIS) Phone Book Service. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user. This is typically an IUSR or IWAM user with limited privileges.

Extended Description

The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default. A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5).

Affected Products

• Microsoft Windows 2000 Advanced Server SP1
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Server SP1
• Microsoft Windows 2000 Server
• Microsoft Windows NT 4.0
• Microsoft Windows NT Enterprise Server 4.0
• Microsoft Windows NT Enterprise Server 4.0 SP1
• Microsoft Windows NT Enterprise Server 4.0 SP2
• Microsoft Windows NT Enterprise Server 4.0 SP3
• Microsoft Windows NT Enterprise Server 4.0 SP4
• Microsoft Windows NT Enterprise Server 4.0 SP5
• Microsoft Windows NT Enterprise Server 4.0 SP6
• Microsoft Windows NT Enterprise Server 4.0 SP6a
• Microsoft Windows NT Server 4.0
• Microsoft Windows NT Server 4.0 SP1
• Microsoft Windows NT Server 4.0 SP2
• Microsoft Windows NT Server 4.0 SP3
• Microsoft Windows NT Server 4.0 SP4
• Microsoft Windows NT Server 4.0 SP5
• Microsoft Windows NT Server 4.0 SP6
• Microsoft Windows NT Server 4.0 SP6a

References

• BugTraq: 2048
• BugTraq: 2048
• CVE: CVE-2000-1089
• URL: http://www.stake.com/research/advisories/2000/a120400-1.txt
• URL: http://www.microsoft.com/technet/security/bulletin/MS00-094.asp