File: 1772.txt

package info (click to toggle)
snort 2.9.15.1-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 59,656 kB
  • sloc: ansic: 310,441; sh: 13,260; makefile: 2,943; yacc: 497; perl: 496; lex: 261; sed: 14
file content (65 lines) | stat: -rw-r--r-- 1,381 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Rule:

--
Sid:
1772

--
Summary:
This event is generated when an attempt is made to access the
pbserver.dll component associated with the Microsoft Phone Book Service. 

--
Impact:
Remote access. Malicious access of the pbserver.dll component can allow
the execution of arbitrary commands on a vulnerable server.

--
Detailed Information:
The Microsoft Phone Book Service allows dial-in clients to download
phone book updates from the Internet Information Server (IIS) running
the Phone Book Service.  The pbserver.dll is the Internet Services
Application Programming Interface (ISAPI) that implements the update
service.  A buffer overflow exists in pbserver.dll that may permit the
execution of arbitrary commands on the server. 

--
Affected Systems:
	Windows NT 4.0
	Windows 2000 Server

--
Attack Scenarios:
An attacker can craft an HTTP request for a phone book update to a host
running the Phone Book Service.

--
Ease of Attack:
Simple. Exploit code is available.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Delete pbserver.dll if the Phone Book Service is unnecessary. 

Apply the appropriate vendor supplied patches.

Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

--