[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Multiple Network Monitor Overflows

Title: Multiple Network Monitor Overflows
Released by: Covert Labs
Date: 1st November 2000
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



_____________________________________________________________________



                     Network Associates, Inc.

                  COVERT Labs Security Advisory

                        November 1, 2000



               Multiple Network Monitor Overflows



                         COVERT-2000-11

______________________________________________________________________



o Synopsis



Multiple buffer overflows in the Windows NT Network Monitor allow a

remote attacker to execute arbitrary code or deny administrators the

ability to view capture files.  This vulnerability has been assigned

a CVE candidate number of CAN-2000-0885.



RISK FACTOR: MEDIUM

______________________________________________________________________



o Vulnerable Systems



Network Monitor included with SMS 2.0 and 1.2.

Network Monitor included with all versions of Windows NT/2000.



______________________________________________________________________



o Vulnerability Overview



The Windows Network Monitor tool allows an administrator to capture

network traffic destined to the local host or all traffic on a local

network.  Network Monitor is designed to capture network traffic

before the information can be viewed in the graphical interface.



Individual packets received from the network are parsed to provide a

readable representation in the user interface. Each application level

protocol is parsed by a separate dynamic linked library within

Network Monitor. One of the vulnerable libraries, 'browser.dll', is

documented in the samples section of the Visual C++ documentation in

the MSDN library.



Multiple stack overflows in various function calls within Network

Monitor's parsing libraries may allow remote attackers to gain

control of the Network Monitor application and execute arbitrary

code.



______________________________________________________________________



o Detailed Information



When a captured session is viewed in Network Monitor's user

interface, a single line summary of protocol specific data is

displayed.  Analysis of a selection of protocol specific libraries

has identified a practice of utilizing insecure string handling

functions creating numerous remote vulnerabilities.  The following

examples illustrate specific problems identified by COVERT Labs

research.



1)  If a CIFS Browse Frame is delivered to UDP port 138, the function

FormatBrowserSummary() is called within 'browser.dll'.  One specific

CIFS Browse Frame, "Become Backup", includes the name of the Browse

Server to be promoted.  This information is extracted from the UDP

datagram for inclusion in the single line summary.



The Browser Server name is passed to the WIN32 API function call

OemToChar(), which translates a string from the OEM-defined character

set into either an ANSI or a wide-character string.  The OemToChar()

function stops converting characters when it encounters a null

character.  The vulnerable FormatBrowserSummary() function in

'browser.dll' calls OemToChar(), converting the server name into a

255 byte character buffer on the stack. Because OemToChar() provides

no bounds checking the stack can be overrun with arbitrary values.



2)  If an SNMP request is received on UDP port 161, 'snmp.dll' is

called.  The community name of the SNMP request is extracted from the

datagram for the protocol specific summary. The SNMP community name

is copied into a stack buffer by 'snmp.dll' using the WIN32 function

wsprintfA().  Because this function call does not provide adequate

bounds checking, the stack may be overwritten.



3)  If an SMB session is received on TCP port 139, 'smb.dll' is

called.  This parser contains two vulnerabilities.  If an SMB session

with a long username or a long filename for a type C transaction is

received, Network Monitor will overwrite its stack frame via an

unchecked wsprintfA() call in a manner similar to the vulnerability

described in the SNMP parser.



Extracting control of the instruction pointer for each of these

vulnerabilities can either be achieved by overwriting the return

address and allowing the vulnerable functions to return or by

overwriting the Structure Exception Handlers callback pointer and

then causing a invalid memory reference.



______________________________________________________________________



o Resolution



After notification of these specific issues and further discussion of

the security impact of coding practices in Network Monitor, Microsoft

has completed a full audit of all parsers and has issued a patch to

address the vulnerabilities found.  Platform-specific patches can be

obtained at one of the following addresses:



Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise

Edition:

 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487



Microsoft Windows NT 4.0 Server, Terminal Server Edition:

To be released shortly.



Microsoft Windows 2000 Server, Advanced Server and Datacenter Server:

 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485



Microsoft Systems Management Server 1.2:

 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25505



Microsoft Systems Management Server 2.0:

 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25514



______________________________________________________________________



o Credits



Discovery and documentation of these vulnerabilities were conducted

by Anthony Osborne and Barnaby Jack at the COVERT Labs of PGP

Security.



______________________________________________________________________



o Contact Information



For more information about the COVERT Labs at PGP Security, visit our

website at http://www.pgp.com/covert or send e-mail to covert@pgp.com



______________________________________________________________________



o  Legal Notice



The information contained within this advisory is Copyright (C) 2000

Networks Associates Technology Inc.  It may be redistributed provided

that no fee is charged for distribution and that the advisory is not

modified in any way.



Network Associates and PGP are registered Trademarks of Network

Associates, Inc. and/or its affiliated companies in the United States

and/or other Countries.  All other registered and unregistered

trademarks in this document are the sole property of their respective

owners.



______________________________________________________________________



-----BEGIN PGP SIGNATURE-----

Version: PGP 6.5.1

Comment: Crypto Provided by Network Associates <http://www.nai.com>



iQA/AwUBOgDPpADjeqNVcQB5EQKwnACfUpD17kixAwYEWD5Wgnyse7V71doAniZA

vq7TweXxBvkI/vsfXOiFYJRa

=25jp

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.