Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS Cache Corruption Vulnerability
BID:1620
Info
Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS Cache Corruption Vulnerability
| Bugtraq ID: | 1620 |
| Class: | Design Error |
| CVE: |
CVE-2000-1079 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 29 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | Discovered by Anthony Osborne and posted to Bugtraq on August 29, 2000 by COVERT Labs <[email protected]>. |
| Vulnerable: |
Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows NT 4.0 Microsoft Windows 98 Microsoft Windows 95 SR2 Microsoft Windows 95 Microsoft Windows 2000 Terminal Services Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: | |
Discussion
Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS Cache Corruption Vulnerability
The implementation of the NetBIOS cache in Windows 95, 98, NT 4.0, and 2000 allows for remote insertion of dynamic cache entries and removal of both dynamic and static (from the LMHOSTS file) cache entries. This is due to the interaction between the implementation of the NetBIOS cache and the CIFS (Common Internet File System) Browser Protocol.
The CIFS Browsing Protocol generates a list of network resources and is used in services such as My Neighborhood or My Network Places. It also defines a number of Browse Frames encapsulated within a NetBIOS datagram. Information contained in a NetBIOS datagram is extracted and inserted into the NetBIOS cache when a Browse Frame request is received on UDP port 138. This information includes a source and destination NetBIOS name, second source IP address, and IP headers.
A remote malicious user can transmit unicast or broadcast UDP datagrams which can result in the redirection of NetBIOS name resolution to IP address resolution forwarding to an arbitrary IP address under their control. Once the cache is corrupted with a UDP datagram, it is no longer a prerequisite to predict Transaction IDs (which is reportedly an easily predictable 16-bit ID to begin with).
To flush a dynamic entry in the cache, one can send a Postive Name Query response that provides a different IP address to NetBIOS name mapping.
The implementation of the NetBIOS cache in Windows 95, 98, NT 4.0, and 2000 allows for remote insertion of dynamic cache entries and removal of both dynamic and static (from the LMHOSTS file) cache entries. This is due to the interaction between the implementation of the NetBIOS cache and the CIFS (Common Internet File System) Browser Protocol.
The CIFS Browsing Protocol generates a list of network resources and is used in services such as My Neighborhood or My Network Places. It also defines a number of Browse Frames encapsulated within a NetBIOS datagram. Information contained in a NetBIOS datagram is extracted and inserted into the NetBIOS cache when a Browse Frame request is received on UDP port 138. This information includes a source and destination NetBIOS name, second source IP address, and IP headers.
A remote malicious user can transmit unicast or broadcast UDP datagrams which can result in the redirection of NetBIOS name resolution to IP address resolution forwarding to an arbitrary IP address under their control. Once the cache is corrupted with a UDP datagram, it is no longer a prerequisite to predict Transaction IDs (which is reportedly an easily predictable 16-bit ID to begin with).
To flush a dynamic entry in the cache, one can send a Postive Name Query response that provides a different IP address to NetBIOS name mapping.
Exploit / POC
Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS Cache Corruption Vulnerability
CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
Solution / Fix
Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS Cache Corruption Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS Cache Corruption Vulnerability
References:
References:
- NetBIOS Cache Corruption (CORE Security)