mailing list archives
[COVERT-2000-11] Multiple Network Monitor Overflows
From: COVERT Labs <seclabs () nai com>
Date: Wed, 1 Nov 2000 18:35:26 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Network Associates, Inc.
COVERT Labs Security Advisory
November 1, 2000
Multiple Network Monitor Overflows
Multiple buffer overflows in the Windows NT Network Monitor allow a
remote attacker to execute arbitrary code or deny administrators the
ability to view capture files. This vulnerability has been assigned
a CVE candidate number of CAN-2000-0885.
RISK FACTOR: MEDIUM
o Vulnerable Systems
Network Monitor included with SMS 2.0 and 1.2.
Network Monitor included with all versions of Windows NT/2000.
o Vulnerability Overview
The Windows Network Monitor tool allows an administrator to capture
network traffic destined to the local host or all traffic on a local
network. Network Monitor is designed to capture network traffic
before the information can be viewed in the graphical interface.
Individual packets received from the network are parsed to provide a
readable representation in the user interface. Each application level
protocol is parsed by a separate dynamic linked library within
Network Monitor. One of the vulnerable libraries, 'browser.dll', is
documented in the samples section of the Visual C++ documentation in
the MSDN library.
Multiple stack overflows in various function calls within Network
Monitor's parsing libraries may allow remote attackers to gain
control of the Network Monitor application and execute arbitrary
o Detailed Information
When a captured session is viewed in Network Monitor's user
interface, a single line summary of protocol specific data is
displayed. Analysis of a selection of protocol specific libraries
has identified a practice of utilizing insecure string handling
functions creating numerous remote vulnerabilities. The following
examples illustrate specific problems identified by COVERT Labs
1) If a CIFS Browse Frame is delivered to UDP port 138, the function
FormatBrowserSummary() is called within 'browser.dll'. One specific
CIFS Browse Frame, "Become Backup", includes the name of the Browse
Server to be promoted. This information is extracted from the UDP
datagram for inclusion in the single line summary.
The Browser Server name is passed to the WIN32 API function call
OemToChar(), which translates a string from the OEM-defined character
set into either an ANSI or a wide-character string. The OemToChar()
function stops converting characters when it encounters a null
character. The vulnerable FormatBrowserSummary() function in
'browser.dll' calls OemToChar(), converting the server name into a
255 byte character buffer on the stack. Because OemToChar() provides
no bounds checking the stack can be overrun with arbitrary values.
2) If an SNMP request is received on UDP port 161, 'snmp.dll' is
called. The community name of the SNMP request is extracted from the
datagram for the protocol specific summary. The SNMP community name
is copied into a stack buffer by 'snmp.dll' using the WIN32 function
wsprintfA(). Because this function call does not provide adequate
bounds checking, the stack may be overwritten.
3) If an SMB session is received on TCP port 139, 'smb.dll' is
called. This parser contains two vulnerabilities. If an SMB session
with a long username or a long filename for a type C transaction is
received, Network Monitor will overwrite its stack frame via an
unchecked wsprintfA() call in a manner similar to the vulnerability
described in the SNMP parser.
Extracting control of the instruction pointer for each of these
vulnerabilities can either be achieved by overwriting the return
address and allowing the vulnerable functions to return or by
overwriting the Structure Exception Handlers callback pointer and
then causing a invalid memory reference.
After notification of these specific issues and further discussion of
the security impact of coding practices in Network Monitor, Microsoft
has completed a full audit of all parsers and has issued a patch to
address the vulnerabilities found. Platform-specific patches can be
obtained at one of the following addresses:
Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise
Microsoft Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.
Microsoft Windows 2000 Server, Advanced Server and Datacenter Server:
Microsoft Systems Management Server 1.2:
Microsoft Systems Management Server 2.0:
Discovery and documentation of these vulnerabilities were conducted
by Anthony Osborne and Barnaby Jack at the COVERT Labs of PGP
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our
website at http://www.pgp.com/covert or send e-mail to covert () pgp com
o Legal Notice
The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc. It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.
Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries. All other registered and unregistered
trademarks in this document are the sole property of their respective
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>
-----END PGP SIGNATURE-----
- [COVERT-2000-11] Multiple Network Monitor Overflows COVERT Labs (Nov 03)