Microsoft Security Bulletin (MS00-094)
   
   Patch Available for "Phone Book Service Buffer Overflow" Vulnerability
   
   Originally posted: December 04, 2000
   
Summary

   Microsoft has released a patch that eliminates a security
   vulnerability in an optional service that ships with Microsoft®
   Windows NT® 4.0 and Windows® 2000 Servers. The vulnerability could
   allow a malicious user to execute hostile code on a remote server that
   is running the service.
   
   Frequently asked questions regarding this vulnerability and the patch
   can be found at
   http://www.microsoft.com/technet/security/bulletin/fq00-094.asp
   
Issue

   The Phone Book Service is an optional component that ships with the NT
   4 Option Pack and Windows 2000. This Service is used in conjunction
   with Dial Up Networking clients to provide computers with a
   pre-populated list of dial-up networking servers.
   
   Due to an unchecked buffer in the Phone Book Service, a particular
   type of malformed URL could be used to execute arbitrary code on an
   IIS 4 or IIS 5 web server running the Phone Book Service. This would
   potentially enable a malicious user to gain privileges on the machine
   commensurate with those of the IUSR_machinename account (IIS 4) or the
   IWAM_machinename account (IIS 5). The IUSR account and the IWAM
   account are members of the Everyone group. In some instances, members
   of the Everyone group, including the accounts above, are able to
   execute operating system commands on the web server.
   
   Although this vulnerability would not grant the malicious user
   administrative level privileges, it would give the malicious user the
   ability to add, change or delete specific data, run code already on
   the server, or upload new code to the server and run it.
   
   Phone Book Services are not installed by default on IIS 4 and IIS 5
   servers. Instead, this service must be specifically installed via the
   NT 4 Option Pack or Windows 2000 Optional Networking Components.
   Customers who have not installed this service would not be at risk
   from this vulnerability.
   
Affected Software Versions

     * Microsoft Windows NT 4.0 Server
     * Microsoft Windows NT 4.0 Server, Enterprise Edition
     * Microsoft Windows 2000 Server
     * Microsoft Windows 2000 Advanced Server
       
   NOTE: The Phone Book Service can only be installed on IIS 4 or IIS 5
   servers.
   
Patch Availability

     * Microsoft Windows NT 4.0:
       http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193
     * Microsoft Windows 2000:
       http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531
       
   NOTE: The NT 4.0 fix can be applied to systems running NT 4.0 Service
   Pack 6a. This fix will be included in NT 4.0 Service Pack 7. The
   Windows 2000 fix can be applied to Windows 2000 Gold or Service Pack
   1. This fix will be included in Windows 2000 Service Pack 2.
   
   Note Additional security patches are available at the Microsoft
   Download Center 
   
More Information

   Please see the following references for more information related to
   this issue.
     * Frequently Asked Questions: Microsoft Security Bulletin MS00-094,
       http://www.microsoft.com/technet/security/bulletin/fq00-094.asp
     * Microsoft Knowledge Base article Q276575 discusses this issue and
       will be available soon.
     * Microsoft TechNet Security web site,
       http://www.microsoft.com/technet/security/default.asp
       
Obtaining Support on this Issue

   This is a fully supported patch. Information on contacting Microsoft
   Product Support Services is available at
   http://support.microsoft.com/support/contact/default.asp.
   
Acknowledgments

   Microsoft thanks  CORE-SDI (www.core-sdi.com) and @Stake
   (www.stake.com) for reporting this issue to us and working with us to
   protect customers.
   
Revisions

     * December 04, 2000: Bulletin Created.
       
   THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
   "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
   WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
   SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
   WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
   OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
   OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.

     Last updated December 4, 2000
     © 2000 Microsoft Corporation. All rights reserved. Terms of use.