Vulnerabilities > CVE-2000-1089 - Unspecified vulnerability in Microsoft Windows 2000 and Windows NT

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
exploit available
metasploit

Summary

Buffer overflow in Microsoft Phone Book Service allows local users to execute arbitrary commands, aka the "Phone Book Service Buffer Overflow" vulnerability.

Vulnerable Configurations

Part Description Count
OS
Microsoft
2

Exploit-Db

  • descriptionMicrosoft IIS Phone Book Service Overflow. CVE-2000-1089. Remote exploit for windows platform
    idEDB-ID:16357
    last seen2016-02-01
    modified2010-04-30
    published2010-04-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16357/
    titleMicrosoft IIS Phone Book Service Overflow
  • descriptionMicrosoft Windows NT 4.0 PhoneBook Server Buffer Overflow. CVE-2000-1089. Remote exploit for windows platform
    idEDB-ID:20460
    last seen2016-02-02
    modified2000-12-04
    published2000-12-04
    reporterAlberto Solino
    sourcehttps://www.exploit-db.com/download/20460/
    titleMicrosoft Windows NT 4.0 PhoneBook Server Buffer Overflow

Metasploit

descriptionThis is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1.
idMSF:EXPLOIT/WINDOWS/ISAPI/MS00_094_PBSERVER
last seen2020-05-22
modified2017-11-08
published2008-08-10
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1089
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/isapi/ms00_094_pbserver.rb
titleMS00-094 Microsoft IIS Phone Book Service Overflow

Nessus

NASL familyCGI abuses
NASL idPHONEBOOK.NASL
descriptionThe CGI /pbserver/pbserver.dll is subject to a buffer overflow attack that may allow an attacker to execute arbitrary commands on this host.
last seen2020-06-01
modified2020-06-02
plugin id10564
published2000-12-06
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10564
titleMicrosoft IIS Phone Book Service /pbserver/pbserver.dll Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(10564);
  script_version("1.42");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2000-1089");
  script_bugtraq_id(2048);
  script_xref(name:"MSFT", value:"MS00-094");
  script_xref(name:"MSKB", value:"276575");

  script_name(english:"Microsoft IIS Phone Book Service /pbserver/pbserver.dll Remote Overflow");
  script_summary(english:"Determines whether phonebook server is installed");

  script_set_attribute(attribute:"synopsis", value:
"The remote host contains software that is vulnerable to a buffer
overflow.");
  script_set_attribute(attribute:"description", value:
"The CGI /pbserver/pbserver.dll is subject to a buffer overflow attack
that may allow an attacker to execute arbitrary commands on this host.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-094");
  script_set_attribute(attribute:"solution", value:"Microsoft has released patches for Windows NT and 2000.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"metasploit_name", value:'MS00-094 Microsoft IIS Phone Book Service Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2000/12/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2000/12/06");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_DENIAL);
  script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
  script_family(english:"CGI abuses");

  script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80);


w = http_send_recv3(method:"GET",item:"/pbserver/pbserver.dll", port:port);
r = strcat(r[0], r[1], '\r\n', r[2]);
if("Bad Request" >< r)
  {
    r = http_send_recv3(method: "GET", port: port,
 item:string("/pbserver/pbserver.dll?OSArch=0&OSType=2&LCID=", crap(200), "&PBVer=0&PB=", crap(200)));
    r = http_send_recv3(method:"GET", item:"/pbserver/pbserver.dll", port:port);
    if (isnull(r)) security_hole(port);
  }

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83175/ms00_094_pbserver.rb.txt
idPACKETSTORM:83175
last seen2016-12-05
published2009-11-26
reporterpatrick
sourcehttps://packetstormsecurity.com/files/83175/Microsoft-IIS-Phone-Book-Service-Overflow.html
titleMicrosoft IIS Phone Book Service Overflow