Bugtraq mailing list archives
Microsoft Security Bulletin (MS00-094)
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Tue, 5 Dec 2000 08:46:10 -0800
Microsoft Security Bulletin (MS00-094) Patch Available for "Phone Book Service Buffer Overflow" Vulnerability Originally posted: December 04, 2000 Summary Microsoft has released a patch that eliminates a security vulnerability in an optional service that ships with Microsoft Windows NT 4.0 and Windows® 2000 Servers. The vulnerability could allow a malicious user to execute hostile code on a remote server that is running the service. Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-094.asp Issue The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. This Service is used in conjunction with Dial Up Networking clients to provide computers with a pre-populated list of dial-up networking servers. Due to an unchecked buffer in the Phone Book Service, a particular type of malformed URL could be used to execute arbitrary code on an IIS 4 or IIS 5 web server running the Phone Book Service. This would potentially enable a malicious user to gain privileges on the machine commensurate with those of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The IUSR account and the IWAM account are members of the Everyone group. In some instances, members of the Everyone group, including the accounts above, are able to execute operating system commands on the web server. Although this vulnerability would not grant the malicious user administrative level privileges, it would give the malicious user the ability to add, change or delete specific data, run code already on the server, or upload new code to the server and run it. Phone Book Services are not installed by default on IIS 4 and IIS 5 servers. Instead, this service must be specifically installed via the NT 4 Option Pack or Windows 2000 Optional Networking Components. Customers who have not installed this service would not be at risk from this vulnerability. Affected Software Versions * Microsoft Windows NT 4.0 Server * Microsoft Windows NT 4.0 Server, Enterprise Edition * Microsoft Windows 2000 Server * Microsoft Windows 2000 Advanced Server NOTE: The Phone Book Service can only be installed on IIS 4 or IIS 5 servers. Patch Availability * Microsoft Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193 * Microsoft Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531 NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1. This fix will be included in Windows 2000 Service Pack 2. Note Additional security patches are available at the Microsoft Download Center More Information Please see the following references for more information related to this issue. * Frequently Asked Questions: Microsoft Security Bulletin MS00-094, http://www.microsoft.com/technet/security/bulletin/fq00-094.as p * Microsoft Knowledge Base article Q276575 discusses this issue and will be available soon. * Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp Obtaining Support on this Issue This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at [20]http://support.microsoft.com/support/contact/default.asp. Acknowledgments Microsoft thanks CORE-SDI (www.core-sdi.com) and @Stake (www.stake.com) for reporting this issue to us and working with us to protect customers. Revisions * December 04, 2000: Bulletin Created. THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Last updated December 4, 2000 (c) 2000 Microsoft Corporation. All rights reserved. Terms of use.
Current thread:
- Microsoft Security Bulletin (MS00-094) Elias Levy (Dec 06)