Security Home > Windows NT, 2000 & XP

Phone Book Service Buffer Overflow Vulnerability

A security vulnerability exists in an optional service that ships with Microsoft® Windows NT® 4.0 and Windows® 2000 Servers which could allow a malicious user to execute hostile code on a remote server that is running the service.


The Phone Book Service is an optional component that ships with the NT 4 Option Pack and Windows 2000. This Service is used in conjunction with Dial Up Networking clients to provide computers with a pre-populated list of dial-up networking servers.

Due to an unchecked buffer in the Phone Book Service, a particular type of malformed URL could be used to execute arbitrary code on an IIS 4 or IIS 5 web server running the Phone Book Service. This would potentially enable a malicious user to gain privileges on the machine commensurate with those of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The IUSR account and the IWAM account are members of the Everyone group. In some instances, members of the Everyone group, including the accounts above, are able to execute operating system commands on the web server.

Although this vulnerability would not grant the malicious user administrative level privileges, it would give the malicious user the ability to add, change or delete specific data, run code already on the server, or upload new code to the server and run it.

Phone Book Services are not installed by default on IIS 4 and IIS 5 servers. Instead, this service must be specifically installed via the NT 4 Option Pack or Windows 2000 Optional Networking Components. Customers who have not installed this service would not be at risk from this vulnerability.

Affected Products

  • Windows NT/2000


A software patch is available from the following locations:

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: December 4, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<