Microsoft PhoneBook Server Buffer Overflow

The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. It is not installed by default.

A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5).


Privacy Statement
Copyright 2010, SecurityFocus