CVE-2000-1089
published 2001-01-09CVE-2000-1089: Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.
PriorityP347critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
76.55%
99.5th percentile
Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by inspecting HTTP GET requests to /pbserver/pbserver.dll containing the pattern '?&&&&&&pb=' with a long value (approaching or exceeding 980 characters). ↗
- →Alert on HTTP 400 responses from /pbserver/pbserver.dll as the Metasploit check method treats a 400 response code as indicative of a vulnerable target. ↗
- →Monitor Windows Event Log for WAM source exceptions referencing pbserver!HttpExtensionProc, which indicates a crash/exploitation attempt against PBSERVER.DLL. ↗
- →Flag URL query strings to pbserver.dll containing multiple consecutive '&' characters followed by 'pb=' as a hallmark of the exploit's length-check bypass technique. ↗
- →Bad characters used by the payload are null byte, LF, CR, space, %, &, =, and ?; shellcode in the pb= parameter will avoid these bytes, which can help tune detection signatures. ↗
- ·The Phone Book Service is not installed by default; it is an optional component of the NT 4 Option Pack and Windows 2000, so exposure is limited to systems where it has been explicitly installed. ↗
- ·The Metasploit module was only tested against Windows 2000 SP1; return addresses for SP0 and NT SP6 are provided but may be less reliable. ↗
- ·The DLL performs a total-length check capping requests at 1024 bytes, but the exploit bypasses this by using multiple empty '&' parameters so the pb= value alone stays under 980 chars while still overflowing a fixed-size local buffer. ↗
- ·On IIS 4 exploitation results in code execution as IUSR_machinename; on IIS 5 it runs as IWAM_machinename — privilege level differs by IIS version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft IIS - Phone Book Service Overflow (MS00-094) (Metasploit)
exploitdb·2010-04-30
CVE-2000-1089 Microsoft IIS - Phone Book Service Overflow (MS00-094) (Metasploit)
Microsoft IIS - Phone Book Service Overflow (MS00-094) (Metasploit)
---
##
# $Id: ms00_094_pbserver.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS Phone Book Service Overflow',
'Description' => %q{
This is an exploit for the Phone Book Service /pbserver/pbserver.dll
described in MS00-094. By sending an overly long URL argument
for phone book updates, it is possible to overwrite the stack. This
module has only been tested against Windows 2000 SP1.
},
'Author' => [ 'patrick' ],
'License' =>
Exploit-DB
Microsoft Windows NT 4.0 - Phonebook Server Buffer Overflow
exploitdb·2000-12-04
CVE-2000-1089 Microsoft Windows NT 4.0 - Phonebook Server Buffer Overflow
Microsoft Windows NT 4.0 - Phonebook Server Buffer Overflow
---
source: https://www.securityfocus.com/bid/2048/info
The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default.
A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5).
The Phone Book server services requests using the Internet Information Services 5.0 with URIs such as http://hostname/pbserver/
According to Microsoft's documentation a DLL (PBSERVER.DLL) is expo
Exploit-DB
SalesLogix Corporation eViewer 1.0 - Denial of Service
exploitdb·2000-03-31
CVE-2000-0278 SalesLogix Corporation eViewer 1.0 - Denial of Service
SalesLogix Corporation eViewer 1.0 - Denial of Service
---
source: https://www.securityfocus.com/bid/1089/info
SalesLogix eViewer is a web application integrated with the SalesLogix 2000 package.
eViewer will not perform authorization on administrative commands if they are requested directly in the URL. Therefore, the URL:
http: //target/scripts/slxweb.dll/admin?command=shutdown
will cause the slxweb.dll process to shutdown. Possibly other commands aside from 'shutdown' could be performed by a remote user as well. Although the slxweb.dll process will restart once a new query or session is issued, continually requesting the URL above will cause a denial of service.
Additional notes:
The program which issues administrative commands (slxweb.dll) is installed by default in the /scripts
Metasploit
MS00-094 Microsoft IIS Phone Book Service Overflow
metasploit
MS00-094 Microsoft IIS Phone Book Service Overflow
MS00-094 Microsoft IIS Phone Book Service Overflow
This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/2048http://www.stake.com/research/advisories/2000/a120400-1.txthttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-094https://exchange.xforce.ibmcloud.com/vulnerabilities/5623http://www.securityfocus.com/bid/2048http://www.stake.com/research/advisories/2000/a120400-1.txthttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-094https://exchange.xforce.ibmcloud.com/vulnerabilities/5623
2001-01-09
Published