Microsoft's Network Monitor - Buffer Overrun / Page Fault /

[mnemonix () GLOBALNET CO UK (mnemonix)]

This is a multi-part message in MIME format.

------=_NextPart_000_0004_01BE2619.437AED00
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

There is a problem with both the SMS version of Network Monitor and the =
version on the NT Server 4 CD-ROM whereby if it "sniffs" a NetBIOS =
session request from a machine where the NetBIOS Scope ID is 190 or more =
characters when the capture is stopped and the results are viewed the =
Network Monitor process (netmon.exe) experiences a memory problem. =
Depending on whether there are other open capture windows or not the =
memory problem manifests itself in a number of different ways - =
sometimes buffer overruns, some times a page fault and others the =
process just dies with no reason as to why.

The problem actually stems from the netbios parser - netbios.dll - not =
being able to handle the packet when it tries to interpret the contents.

The impact of this problem can be from a simple Denial of Service to =
really annoy an admin trying to troubleshoot a LAN issue - to possible =
exploitation - especially as Network Monitor is normally run by an Admin =
and conseqently the netmon.exe process and any child process it spawns =
will run with Administrative privileges.

Microsoft was informed about this issue around 8 weeks ago, but not =
having heard anything since the first conversation I had wth them about =
this I am issuing this advisory.

This was tested on NT Server 4.0 (Service Pack Three + Hotfixes) and =
Windows 95.

Cheers,

David Litchfield

http://www.infowar.co.uk/mnemonix/


------=_NextPart_000_0004_01BE2619.437AED00
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">

<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Times New Roman" size=3D2>

There is a problem with both the SMS version of Network Monitor and =
the=20
version on the NT Server 4 CD-ROM whereby if it "sniffs" a =
NetBIOS=20
session request from a machine where the NetBIOS Scope ID is 190 or more =

characters when the capture is stopped and the results are viewed the =
Network=20
Monitor process (netmon.exe) experiences a memory problem. Depending on =
whether=20
there are other open capture windows or not the memory problem manifests =
itself=20
in a number of different ways - sometimes buffer overruns, some times a =
page=20
fault and others the process just dies with no reason as to why.</P>

The problem actually stems from the netbios parser - netbios.dll - =
not being=20
able to handle the packet when it tries to interpret the contents.</P>

The impact of this problem can be from a simple Denial of Service to =
really=20
annoy an admin trying to troubleshoot a LAN issue - to possible =
exploitation -=20
especially as Network Monitor is normally run by an Admin and =
conseqently the=20
netmon.exe process and any child process it spawns will run with =
Administrative=20
privileges.</P>

Microsoft was informed about this issue around 8 weeks ago, but not =
having=20
heard anything since the first conversation I had wth them about this I =
am=20
issuing this advisory.</P>

This was tested on NT Server 4.0 (Service Pack Three + Hotfixes) and =
Windows=20
95.</P>

<FONT face=3DArial></FONT>Cheers,</P>

<FONT face=3DArial>David Litchfield</FONT></P>

<FONT=20
face=3DArial>http://www.infowar.co.uk/mnemonix/</FONT></P></FONT></DIV></=
BODY></HTML>

------=_NextPart_000_0004_01BE2619.437AED00--