manunkind
December 4, 2000, 10:04 pm
Microsoft Security Bulletin (MS00-094)
Patch Available for "Phone Book Service Buffer Overflow" Vulnerability
Originally posted: December 04, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability in an optional service that ships with Microsoft® Windows NT® 4.0 and Windows® 2000 Servers. The vulnerability could allow a malicious user to execute hostile code on a remote server that is running the service.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-094.asp
Issue
The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. This Service is used in conjunction with Dial Up Networking clients to provide computers with a pre-populated list of dial-up networking servers. Due to an unchecked buffer in the Phone Book Service, a particular type of malformed URL could be used to execute arbitrary code on an IIS 4 or IIS 5 web server running the Phone Book Service. This would potentially enable a malicious user to gain privileges on the machine commensurate with those of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The IUSR account and the IWAM account are members of the Everyone group. In some instances, members of the Everyone group, including the accounts above, are able to execute operating system commands on the web server.
Although this vulnerability would not grant the malicious user administrative level privileges, it would give the malicious user the ability to add, change or delete specific data, run code already on the server, or upload new code to the server and run it.
Phone Book Services are not installed by default on IIS 4 and IIS 5 servers. Instead, this service must be specifically installed via the NT 4 Option Pack or Windows 2000 Optional Networking Components. Customers who have not installed this service would not be at risk from this vulnerability.
Affected Software Versions
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
NOTE: The Phone Book Service can only be installed on IIS 4 or IIS 5 servers.
Patch Availability
Microsoft Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193
Microsoft Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531
NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1. This fix will be included in Windows 2000 Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)
Patch Available for "Phone Book Service Buffer Overflow" Vulnerability
Originally posted: December 04, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability in an optional service that ships with Microsoft® Windows NT® 4.0 and Windows® 2000 Servers. The vulnerability could allow a malicious user to execute hostile code on a remote server that is running the service.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-094.asp
Issue
The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. This Service is used in conjunction with Dial Up Networking clients to provide computers with a pre-populated list of dial-up networking servers. Due to an unchecked buffer in the Phone Book Service, a particular type of malformed URL could be used to execute arbitrary code on an IIS 4 or IIS 5 web server running the Phone Book Service. This would potentially enable a malicious user to gain privileges on the machine commensurate with those of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The IUSR account and the IWAM account are members of the Everyone group. In some instances, members of the Everyone group, including the accounts above, are able to execute operating system commands on the web server.
Although this vulnerability would not grant the malicious user administrative level privileges, it would give the malicious user the ability to add, change or delete specific data, run code already on the server, or upload new code to the server and run it.
Phone Book Services are not installed by default on IIS 4 and IIS 5 servers. Instead, this service must be specifically installed via the NT 4 Option Pack or Windows 2000 Optional Networking Components. Customers who have not installed this service would not be at risk from this vulnerability.
Affected Software Versions
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
NOTE: The Phone Book Service can only be installed on IIS 4 or IIS 5 servers.
Patch Availability
Microsoft Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193
Microsoft Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531
NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack 1. This fix will be included in Windows 2000 Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)