cbcvebase.
CVE-2000-1089
published 2001-01-09

CVE-2000-1089: Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.

PriorityP347critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
76.55%
99.5th percentile
Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

path/pbserver/pbserver.dll
commandGET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars) HTTP/1.0
url/pbserver/pbserver.dll?&&&&&&pb=
other0x77e8898b
other0x77ea162b
other0x77f32836
filenamePBSERVER.DLL
  • Detect exploit attempts by inspecting HTTP GET requests to /pbserver/pbserver.dll containing the pattern '?&&&&&&pb=' with a long value (approaching or exceeding 980 characters).
  • Alert on HTTP 400 responses from /pbserver/pbserver.dll as the Metasploit check method treats a 400 response code as indicative of a vulnerable target.
  • Monitor Windows Event Log for WAM source exceptions referencing pbserver!HttpExtensionProc, which indicates a crash/exploitation attempt against PBSERVER.DLL.
  • Flag URL query strings to pbserver.dll containing multiple consecutive '&' characters followed by 'pb=' as a hallmark of the exploit's length-check bypass technique.
  • Bad characters used by the payload are null byte, LF, CR, space, %, &, =, and ?; shellcode in the pb= parameter will avoid these bytes, which can help tune detection signatures.
  • ·The Phone Book Service is not installed by default; it is an optional component of the NT 4 Option Pack and Windows 2000, so exposure is limited to systems where it has been explicitly installed.
  • ·The Metasploit module was only tested against Windows 2000 SP1; return addresses for SP0 and NT SP6 are provided but may be less reliable.
  • ·The DLL performs a total-length check capping requests at 1024 bytes, but the exploit bypasses this by using multiple empty '&' parameters so the pb= value alone stays under 980 chars while still overflowing a fixed-size local buffer.
  • ·On IIS 4 exploitation results in code execution as IUSR_machinename; on IIS 5 it runs as IWAM_machinename — privilege level differs by IIS version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.