@stake Advisory: IIS 4.0/5.0 Phone Book server buffer overrun (A120400-1)

                           @stake, Inc.
                        www.atstake.com

                       Security Advisory

Advisory Name: IIS 4.0/5.0 Phone Book server buffer overrun
Release Date: 12/04/2000
Application: Microsoft's Phone Book Server on IIS 4.0, 5.0
Platform: Windows NT 4.0, Windows 2000
Severity: A buffer overflow conditions exists in
pbserver.dll that can allow the remote execution of
code or a denial of service.
Author: David Litchfield [[email protected]]
Vendor Status: Fixed version of software available
Full Text: www.atstake.com/research/advisories/2000/a120400-1.txt
CVE: CAN-2000-1089

Overview:

    The Phone Book Service was created by Microsoft to help provide

dial in services to the corporation and ISPs. As part of the functionality
of the service when users dial in their client software can be configured
to download phone book updates from a web server. The ISAPI application
that serves the update is pbserver.dll. This DLL contains a buffer overrun
vulnerability that can allow the execution of arbitrary code or at best
crash the Interner Information Server process, inetinfo.exe.

Detailed Description:

    The overflow occurs when the PB parameter of the query string is

overly long. By filling this parameter with uppercase 'A's the inetinfo
process crashes. A quick look at the code at this point shows:

cmp dword ptr[esi+4],ebp
jne 69A2196C
mov eax, dword ptr [esi]
push eax
mov ecx, dword ptr [eax]
call dword ptr[ecx+1Ch]

The ESI register has been filled with the user supplied AAAAs. By setting
ESI to somewhere in memory which can read avoids the crash, here, however
looking on down the code you see that if the esi is set to an address that
contains a pointer to the user supplied buffer then it will be called
eventually - in a round about way. Dpoing this then, the ESI is set to
0x5E9351E4 - this address has a pointer back to the user supplied buffer -
which floats around the 0x0027**** area. This 0x0027**** address is then
moved into the EAX register. If the value at address 0x0027**** is set to
0x5e93554c what happens is when what the EAX points to is moved into the
ECX and ECX+1Ch is called it lands a couple of bytes above the user
supplied buffer. There are a couple of bytes of mess to ride through, a
few fields of nulls and other bits and bobs here and there but the whole
code in the buffer is eventually executed.

As proof of concept the following code will spawn a shell, perform a
directory listing and pipe the output to a file called psrvorun.txt,
created in the winnt\system32 directory. You can test for the existance
of the overrun on NT 4.0 SP 6a using this program. It has only been
tested to work when the target system is SP 6a.

Proof of concept code:

http://www.atstake.com/research/advisories/2000/pbserver-poc.c

Vendor Response:

Microsoft has released a bulletin on this issue:
http://www.microsoft.com/technet/security/bulletin/ms00-094.asp

Microsoft has release patches for this issue:
Microsoft Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193

Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531

Solution:

If you do not need the Phone Book Service you should remove pbserver.dll.
Users of the Phone Book Service should download and install the patch
provided by Microsoft.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2000-1089

Additional Information:

This vulnerability was also discovered and reported independently by
CORE SDI.

Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.