Re: NetBIOS name encoding

[Ron <ron () skullsecurity net>]

David Fifield wrote:
> Hi,
>
> While investigating the safety of UDP payloads this morning I found that
> the NetBIOS name resolution service uses the same message format as DNS.
> RFC 1002, section 4.1 says
>
>       The NetBIOS name representation in all NetBIOS packets (for
>       NAME, SESSION, and DATAGRAM services) is defined in the Domain
>       Name Service RFC 883 as "compressed" name messages.
>
> The "compressed" is what interests me, because DNS name decompression
> has already been the source of two bugs in NSE.
>
> Fix for stack overflow in dns.lua
> http://seclists.org/nmap-dev/2008/q4/0526.html
> Stack overflow in dns-zone-transfer.nse
> http://seclists.org/nmap-dev/2009/q1/0317.html
>
> I tried exploiting nbstat.exe in Windows XP with an Ncat server sending
> malformed messages, but I couldn't get a hang or anything. So I'm asking
> mainly of Ron Bowes but also of anyone else who might know: Does NetBIOS
> really support name compression, and is it used in practice? If so,
> there are probably implementations suceptible to this flaw.
>
> David Fifield

While working on NetBIOS/SMB, I vaguely remember something along the
lines of, "if the first bit is 1, then instead of a string it's a 31-bit
integer indicating where to find the string". I honestly don't remember
where that was, though, and I can't seem to find it in my code.

Knowing how I code, I likely implemented it to take the string at he new
location, no matter what. I don't think it'd recurse in my
implementation. But it's possible that others might implement it
incorrectly.

Ron


-- 
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org