|
Nmap Development
mailing list archives
NetBIOS name encoding
From: David Fifield <david () bamsoftware com>
Date: Mon, 6 Jul 2009 12:19:36 -0600
Hi,
While investigating the safety of UDP payloads this morning I found that
the NetBIOS name resolution service uses the same message format as DNS.
RFC 1002, section 4.1 says
The NetBIOS name representation in all NetBIOS packets (for
NAME, SESSION, and DATAGRAM services) is defined in the Domain
Name Service RFC 883 as "compressed" name messages.
The "compressed" is what interests me, because DNS name decompression
has already been the source of two bugs in NSE.
Fix for stack overflow in dns.lua
http://seclists.org/nmap-dev/2008/q4/0526.html
Stack overflow in dns-zone-transfer.nse
http://seclists.org/nmap-dev/2009/q1/0317.html
I tried exploiting nbstat.exe in Windows XP with an Ncat server sending
malformed messages, but I couldn't get a hang or anything. So I'm asking
mainly of Ron Bowes but also of anyone else who might know: Does NetBIOS
really support name compression, and is it used in practice? If so,
there are probably implementations suceptible to this flaw.
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
- NetBIOS name encoding David Fifield (Jul 06)
|
Intro
