Microsoft Security Bulletin MS00-094 - Critical

Patch Available for 'Phone Book Service Buffer Overflow' Vulnerability

Published: December 04, 2000

Version: 1.0

Originally posted: December 04, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in an optional service that ships with Microsoft® Windows NT® 4.0 and Windows® 2000 Servers. The vulnerability could allow a malicious user to execute hostile code on a remote server that is running the service.

Affected Software:

  • Microsoft Windows NT 4.0 Server

  • Microsoft Windows NT 4.0 Server, Enterprise Edition

  • Microsoft Windows 2000 Server

  • Microsoft Windows 2000 Advanced Server

    NOTE: The Phone Book Service can only be installed on IIS 4 or IIS 5 servers.

Vulnerability Identifier: CVE-2000-1089

General Information

Technical details

Technical description:

The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. This Service is used in conjunction with Dial Up Networking clients to provide computers with a pre-populated list of dial-up networking servers.

Due to an unchecked buffer in the Phone Book Service, a particular type of malformed URL could be used to execute arbitrary code on an IIS 4 or IIS 5 web server running the Phone Book Service. This would potentially enable a malicious user to gain privileges on the machine commensurate with those of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The IUSR account and the IWAM account are members of the Everyone group. In some instances, members of the Everyone group, including the accounts above, are able to execute operating system commands on the web server.

Although this vulnerability would not grant the malicious user administrative level privileges, it would give the malicious user the ability to add, change or delete specific data, run code already on the server, or upload new code to the server and run it.

Phone Book Services are not installed by default on IIS 4 and IIS 5 servers. Instead, this service must be specifically installed via the NT 4 Option Pack or Windows 2000 Optional Networking Components. Customers who have not installed this service would not be at risk from this vulnerability.

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-094 announces the availability of a patch that eliminates a vulnerability in an optional service that ships as part of Microsoft® Windows NT® 4 and Windows® 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. It could enable a malicious user to cause code of his choice to execute on a web server running a particular optional service. This would potentially enable a malicious user to execute any code that a user logged into the server interactively could run. This would give him the ability to install and run code, add, change or delete files or web pages, or take other actions. This vulnerability relies upon the existence of the Phone Book Service on the web server. Users who have not specifically installed Phone Book Services on their web server are not at risk from this vulnerability.

What causes the vulnerability?
The vulnerability results because the Phone Book Service has an unchecked buffer in a portion of the code that processes requests for phone book updates. If provided with a particular type of malformed request, it would be possible to overrun the buffer.

What is Phone Book Service?
The Phone Book Service enables remote users to get an up-to-date listing of dial-in phone numbers. To understand how it would be used, let's consider a typical scenario. Suppose BigCorp needs to allow its employees to dial into the network when they're working from home or traveling. The IT department would probably set up either a RAS (Remote Access Service) or a PPTP (Point-to-Point Tunneling Protocol) server for them to dial into. However, the employees would need a way to find the right dial-in numbers and to set up the connection to the network. The IT department might deploy Connection Manager to make this easy. Connection Manager is an application that enables users to select a dial-in number from a pre-programmed list and make a dial-up connection easily. The problem is how to keep Connection Manager's list of phone numbers current. That's where the Phone Book Service comes in. The Phone Book Service runs on an IIS server, and provides information about dial-up numbers. Usually, it's called behind the scenes by Connection Manager during each dial-in connection; however, it also can be called directly by a user, using a normal HTTP request.

What's wrong with Phone Book Server?
The Phone Book Service has an unchecked buffer in a part of the code that handles requests. If a malicious user sent a specially-malformed HTTP request for a phone book update , it could either cause the Phone Book Service to crash, or cause code of her choice to be executed on the server.

What would this enable the malicious user to do?
By sending a malformed HTTP request to an affected server, a malicious user could cause either of two effects:

  • If she overran the buffer with random data, she could cause the Phone Book Service on the affected machine to fail.
  • If she overran the buffer with specially-chosen data, it would be possible to cause code of her choice to run on the server.

If this vulnerability were used to make the Phone Book Service fail, what would be required to put it back into service?
The operator would need to restart the service. It would not be necessary to reboot the server.

If the vulnerability were exploited to cause code to run, what could the code do?
It would depend on exactly how the IIS server was configured. By default, Phone Book Server runs on IIS 4.0 in the security context of the IUSR_machinename account; on IIS 5.0, it runs by default in the context of the IWAM_machinename account.

What would this allow the code to do?
Neither IUSR_machinename nor IWAM_machinename are highly-privileged accounts. In fact, they're the accounts under which anonymous connections to a web server are made. Gaining the ability to run code under these accounts would not give the malicious user administrative control over the server. However, both accounts are members of the Everyone group, and this would enable them to add, change or delete data on the system, run any programs that are already on the machine, or upload new software to it and run them.

Are affected machines usually connected to the Internet?
The Phone Book Service must be installed on an IIS server. This IIS server may be accessible via the Internet, however, best practices suggest that the Phone Book Service be installed on an IIS server that is only reachable via the RAS or PPTP server to which the remote user is connecting.

Is Phone Book Server installed by default?
No. It must be installed by the administrator. On IIS 4.0 systems, it's can be loaded as part of the Internet Connection Services for Microsoft RAS that ships with the NT 4 Option Pack. On IIS 5.0 systems, it can be loaded as part of the Optional Networking Components, via the Add/Remove Programs applet. The important point to remember is that, although Phone Book Server only runs on IIS servers, it only does so if it's specifically been installed. If Phone Book Server has not been installed on a machine, it isn't vulnerable to this issue.

Who should use the patch?
Microsoft recommends that users who have installed the Phone Book Service on their IIS servers consider installing the patch.

What does the patch do?
Microsoft recommends that users who have installed the Phone Book Service on their IIS servers consider installing the patch.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

How can I tell if I installed the patch correctly?
Knowledge Base article Q276575 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

  • Microsoft has delivered a patch that eliminates the vulnerability.
  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
  • Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Servicescan provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms: Please see the following references for more information related to this issue.

  • Microsoft Knowledge Base (KB) article Q276575,

    https:

Other information:

Acknowledgments

Microsoft thanks  CORE-SDI (www.core-sdi.com) and @Stake (www.stake.com) for reporting this issue to us and working with us to protect customers.

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at </https:>https:.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • December 04, 2000: Bulletin Created.

Built at 2014-04-18T13:49:36Z-07:00 </https:>