What's this bulletin about?
Microsoft Security Bulletin MS00-094 announces the availability of a patch that eliminates a vulnerability in an optional service that ships as part of Microsoft® Windows NT® 4 and Windows® 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. It could enable a malicious user to cause code of his choice to execute on a web server running a particular optional service. This would potentially enable a malicious user to execute any code that a user logged into the server interactively could run. This would give him the ability to install and run code, add, change or delete files or web pages, or take other actions.
This vulnerability relies upon the existence of the Phone Book Service on the web server. Users who have not specifically installed Phone Book Services on their web server are not at risk from this vulnerability.
What causes the vulnerability?
The vulnerability results because the Phone Book Service has an unchecked buffer in a portion of the code that processes requests for phone book updates. If provided with a particular type of malformed request, it would be possible to overrun the buffer.
What is Phone Book Service?
The Phone Book Service enables remote users to get an up-to-date listing of dial-in phone numbers. To understand how it would be used, let's consider a typical scenario.
Suppose BigCorp needs to allow its employees to dial into the network when they're working from home or traveling. The IT department would probably set up either a RAS (Remote Access Service) or a PPTP (Point-to-Point Tunneling Protocol) server for them to dial into. However, the employees would need a way to find the right dial-in numbers and to set up the connection to the network. The IT department might deploy Connection Manager to make this easy. Connection Manager is an application that enables users to select a dial-in number from a pre-programmed list and make a dial-up connection easily.
The problem is how to keep Connection Manager's list of phone numbers current. That's where the Phone Book Service comes in. The Phone Book Service runs on an IIS server, and provides information about dial-up numbers. Usually, it's called behind the scenes by Connection Manager during each dial-in connection; however, it also can be called directly by a user, using a normal HTTP request.
What's wrong with Phone Book Server?
The Phone Book Service has an unchecked buffer in a part of the code that handles requests. If a malicious user sent a specially-malformed HTTP request for a phone book update , it could either cause the Phone Book Service to crash, or cause code of her choice to be executed on the server.
What would this enable the malicious user to do?
By sending a malformed HTTP request to an affected server, a malicious user could cause either of two effects:
| • | If she overran the buffer with random data, she could cause the Phone Book Service on the affected machine to fail. |
| • | If she overran the buffer with specially-chosen data, it would be possible to cause code of her choice to run on the server. |
If this vulnerability were used to make the Phone Book Service fail, what would be required to put it back into service?
The operator would need to restart the service. It would not be necessary to reboot the server.
If the vulnerability were exploited to cause code to run, what could the code do?
It would depend on exactly how the IIS server was configured. By default, Phone Book Server runs on IIS 4.0 in the security context of the IUSR_machinename account; on IIS 5.0, it runs by default in the context of the IWAM_machinename account.
What would this allow the code to do?
Neither IUSR_machinename nor IWAM_machinename are highly-privileged accounts. In fact, they're the accounts under which anonymous connections to a web server are made. Gaining the ability to run code under these accounts would not give the malicious user administrative control over the server. However, both accounts are members of the Everyone group, and this would enable them to add, change or delete data on the system, run any programs that are already on the machine, or upload new software to it and run them.
Are affected machines usually connected to the Internet?
The Phone Book Service must be installed on an IIS server. This IIS server may be accessible via the Internet, however, best practices suggest that the Phone Book Service be installed on an IIS server that is only reachable via the RAS or PPTP server to which the remote user is connecting.
Is Phone Book Server installed by default?
No. It must be installed by the administrator. On IIS 4.0 systems, it's can be loaded as part of the Internet Connection Services for Microsoft RAS that ships with the NT 4 Option Pack. On IIS 5.0 systems, it can be loaded as part of the Optional Networking Components, via the Add/Remove Programs applet. The important point to remember is that, although Phone Book Server only runs on IIS servers, it only does so if it's specifically been installed. If Phone Book Server has not been installed on a machine, it isn't vulnerable to this issue.
Who should use the patch?
Microsoft recommends that users who have installed the Phone Book Service on their IIS servers consider installing the patch.
What does the patch do?
Microsoft recommends that users who have installed the Phone Book Service on their IIS servers consider installing the patch.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
Knowledge Base article Q276575 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has delivered a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
