From seclabs@nai.com Wed Jul 12 23:43:09 2000 From: COVERT Labs To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 25 May 2000 19:20:36 -0700 Subject: [COVERT-2000-05] Microsoft Windows Computer Browser Reset Vulnerability [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _____________________________________________________________________ Network Associates, Inc. COVERT Labs Security Advisory May 25, 2000 Microsoft Windows Computer Browser Reset COVERT-2000-05 ______________________________________________________________________ o Synopsis The Microsoft Windows implementation of the Browser Protocol contains an undocumented feature that provides for the remote shutdown of the Computer Browser Service on a single computer or multiple computers. RISK FACTOR: MEDIUM ______________________________________________________________________ o Vulnerable Systems All versions of Microsoft Windows 95, 98, NT and 2000. ______________________________________________________________________ o Vulnerability Information The publicly available CIFS Browser Protocol specification defines a set of browse frames delivered on the network over UDP port 138. One specific frame, however, remains undocumented: the "ResetBrowser". This browser frame is decoded by Microsoft's Network Monitor, and generated by the resource kit utility "browstat.exe" using the tickle option. Other CIFS implementations such as SAMBA also contain references to the ResetBrowser frame. While the entire CIFS Browser Protocol is unauthenticated allowing many avenues of attack, the ResetBrowser frame presents a unique opportunity. Creation of the browse frame allows three options: o stop the browser from being a master o reset the entire browser state o shut down the browser The ResetBrowser has the potential to either shut down the Computer Browser on a Windows host or to reset its state. This can provide an opportunity for a denial of service attack or allow an attacker to selectively shut down a specific browser (or a number of browsers) as part of a larger attack on the name and service resolution systems of a Windows domain. Adding to the denial of service implications, the continual delivery of this browse frame to a domain's NetBIOS name will reset the Computer Browser Service on all hosts in the domain within broadcast range. Accessing information from the Browse List through such utilities as Network Neighborhood can be restricted if not denied for a large number of hosts in an efficient manner. The unauthenticated CIFS Browsing Protocol is UDP based, ensuring that the ResetBrowser frame can be easily spoofed across routers. ______________________________________________________________________ o Resolution Microsoft has released a patch for this vulnerability. The patch can be found at: Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21397 Windows 2000 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21298 For more information, their security bulletin can be found at: http://www.microsoft.com/technet/security/bulletin/ms00-036.asp ______________________________________________________________________ o Credits The discovery and documentation of this vulnerability was conducted by Anthony Osborne at the COVERT Labs of PGP Security, Inc. ______________________________________________________________________ o Contact Information For more information about the COVERT Labs at PGP Security, visit our website at http://www.nai.com/covert or send e-mail to covert@nai.com ______________________________________________________________________ o Legal Notice The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates iQA/AwUBOS3fdKF4LLqP1YESEQIlugCeImXCfvmFzK3Xx+biVLBIE3npsToAoJhH z6vJhNWWaa+PQHOk7ZsJGTOz =IXpr -----END PGP SIGNATURE-----