From CST@CERBERUS-INFOSEC.CO.UK Wed Jul 12 23:56:48 2000 From: Cerberus Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 30 May 2000 16:57:40 +0100 Subject: Alert: Windows NT Browser Service DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Cerberus Information Security Advisory (CISADV000527) http://www.cerberus-infosec.co.uk/advisories.html Released : 27th May 2000 Name : Windows Browser Service DoS Affected Systems : Windows NT 4 Issue : Attackers can "lock" boxes and consume network bandwidth Author : David Litchfield (mnemonix@globalnet.co.uk) Description *********** The Cerberus Security Team has discovered a serious security flaw within the Computer Broswer Service on Windows NT 4 that can lead to a total network failure due to bandwidth starvation. Details ******* On Windows NT 4 Workstation and Server the Computer Browser Service is started by default. The service exists to help users of a network to be able to locate resources. The design of the service allows for a "master browser" which maintains a list of all of the NetBIOS based computers on the network. This master browser feeds other computers marked as backup browsers with this list. When a client makes a request for this list it is sent a copy of it by a backup browser. One of the problems with the browser service is that an attacker can spoof entries, swelling the size of the list to well over 50,000 hosts by firing off Host Announcments to the master browser. This massive list is then passed onto the backup browsers and is further sent out across the network for every client request for the list. The network is soon bogged down. Because the service runs over UDP it is also possible to attack a specific host by spoofing one's IP address and sending several requests for the list. The browse list would then be sent to that host several times. Solution: ********* Microsoft has provided a patch that eases this issue - more details available from http://www.microsoft.com/technet/security/bulletin/ms00-036.asp Cerberus advises customers using NT 4 to install the patch. Vendor Status ************* Microsoft were informed about this issue in the middle of last year and have made a patch available from their website. About Cerberus Information Security, Ltd ***************************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 70 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0)208 395 4980. Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd