From seclabs@nai.com Sun Nov 5 19:04:07 2000 From: COVERT Labs To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 1 Nov 2000 18:35:26 -0800 Subject: [BUGTRAQ] [COVERT-2000-11] Multiple Network Monitor Overflows [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _____________________________________________________________________ Network Associates, Inc. COVERT Labs Security Advisory November 1, 2000 Multiple Network Monitor Overflows COVERT-2000-11 ______________________________________________________________________ o Synopsis Multiple buffer overflows in the Windows NT Network Monitor allow a remote attacker to execute arbitrary code or deny administrators the ability to view capture files. This vulnerability has been assigned a CVE candidate number of CAN-2000-0885. RISK FACTOR: MEDIUM ______________________________________________________________________ o Vulnerable Systems Network Monitor included with SMS 2.0 and 1.2. Network Monitor included with all versions of Windows NT/2000. ______________________________________________________________________ o Vulnerability Overview The Windows Network Monitor tool allows an administrator to capture network traffic destined to the local host or all traffic on a local network. Network Monitor is designed to capture network traffic before the information can be viewed in the graphical interface. Individual packets received from the network are parsed to provide a readable representation in the user interface. Each application level protocol is parsed by a separate dynamic linked library within Network Monitor. One of the vulnerable libraries, 'browser.dll', is documented in the samples section of the Visual C++ documentation in the MSDN library. Multiple stack overflows in various function calls within Network Monitor's parsing libraries may allow remote attackers to gain control of the Network Monitor application and execute arbitrary code. ______________________________________________________________________ o Detailed Information When a captured session is viewed in Network Monitor's user interface, a single line summary of protocol specific data is displayed. Analysis of a selection of protocol specific libraries has identified a practice of utilizing insecure string handling functions creating numerous remote vulnerabilities. The following examples illustrate specific problems identified by COVERT Labs research. 1) If a CIFS Browse Frame is delivered to UDP port 138, the function FormatBrowserSummary() is called within 'browser.dll'. One specific CIFS Browse Frame, "Become Backup", includes the name of the Browse Server to be promoted. This information is extracted from the UDP datagram for inclusion in the single line summary. The Browser Server name is passed to the WIN32 API function call OemToChar(), which translates a string from the OEM-defined character set into either an ANSI or a wide-character string. The OemToChar() function stops converting characters when it encounters a null character. The vulnerable FormatBrowserSummary() function in 'browser.dll' calls OemToChar(), converting the server name into a 255 byte character buffer on the stack. Because OemToChar() provides no bounds checking the stack can be overrun with arbitrary values. 2) If an SNMP request is received on UDP port 161, 'snmp.dll' is called. The community name of the SNMP request is extracted from the datagram for the protocol specific summary. The SNMP community name is copied into a stack buffer by 'snmp.dll' using the WIN32 function wsprintfA(). Because this function call does not provide adequate bounds checking, the stack may be overwritten. 3) If an SMB session is received on TCP port 139, 'smb.dll' is called. This parser contains two vulnerabilities. If an SMB session with a long username or a long filename for a type C transaction is received, Network Monitor will overwrite its stack frame via an unchecked wsprintfA() call in a manner similar to the vulnerability described in the SNMP parser. Extracting control of the instruction pointer for each of these vulnerabilities can either be achieved by overwriting the return address and allowing the vulnerable functions to return or by overwriting the Structure Exception Handlers callback pointer and then causing a invalid memory reference. ______________________________________________________________________ o Resolution After notification of these specific issues and further discussion of the security impact of coding practices in Network Monitor, Microsoft has completed a full audit of all parsers and has issued a patch to address the vulnerabilities found. Platform-specific patches can be obtained at one of the following addresses: Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487 Microsoft Windows NT 4.0 Server, Terminal Server Edition: To be released shortly. Microsoft Windows 2000 Server, Advanced Server and Datacenter Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485 Microsoft Systems Management Server 1.2: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25505 Microsoft Systems Management Server 2.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25514 ______________________________________________________________________ o Credits Discovery and documentation of these vulnerabilities were conducted by Anthony Osborne and Barnaby Jack at the COVERT Labs of PGP Security. ______________________________________________________________________ o Contact Information For more information about the COVERT Labs at PGP Security, visit our website at http://www.pgp.com/covert or send e-mail to covert@pgp.com ______________________________________________________________________ o Legal Notice The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates iQA/AwUBOgDPpADjeqNVcQB5EQKwnACfUpD17kixAwYEWD5Wgnyse7V71doAniZA vq7TweXxBvkI/vsfXOiFYJRa =25jp -----END PGP SIGNATURE-----