Microsoft Network Monitor Multiple Buffer Overflow Vulnerabilities
BID:1882
Info
Microsoft Network Monitor Multiple Buffer Overflow Vulnerabilities
| Bugtraq ID: | 1882 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Nov 01 2000 12:00AM |
| Updated: | Nov 01 2000 12:00AM |
| Credit: | This vulnerability was first reported in an advisory posted to Bugtraq on November 1, 2000 by COVERT Labs (http://www.pgp.com/). Additional credit to the ISS X-force (http://xforce.iss.net/). |
| Vulnerable: |
Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server Microsoft Systems Management Server 2.0 SP1 Microsoft Systems Management Server 2.0 Microsoft Systems Management Server 1.2 SP4 Microsoft Systems Management Server 1.2 SP3 Microsoft Systems Management Server 1.2 SP2 Microsoft Systems Management Server 1.2 SP1 Microsoft Systems Management Server 1.2 |
| Not Vulnerable: | |
Discussion
Microsoft Network Monitor Multiple Buffer Overflow Vulnerabilities
The Network Monitor tool that ships with Windows NT/2000 allows and administrator to capture and analyze all network traffic on the local network as well as traffic destined for the host. Netmon is designed to capture this traffic before being viewed in the graphical interface by parsing information received from the network and then translated into a readable format in the user interface.
Seperate DLL libraries within Netmon parse the individual application protocols. One of these libraries, "browser.dll" is vulnerable. By exploiting multiple stack overflows in various function calls within the vulnerable dll's, a remote attacker could gain control of Network Monitor and execute arbitraty code and gaining control of the victim host.
The Network Monitor tool that ships with Windows NT/2000 allows and administrator to capture and analyze all network traffic on the local network as well as traffic destined for the host. Netmon is designed to capture this traffic before being viewed in the graphical interface by parsing information received from the network and then translated into a readable format in the user interface.
Seperate DLL libraries within Netmon parse the individual application protocols. One of these libraries, "browser.dll" is vulnerable. By exploiting multiple stack overflows in various function calls within the vulnerable dll's, a remote attacker could gain control of Network Monitor and execute arbitraty code and gaining control of the victim host.
Exploit / POC
Microsoft Network Monitor Multiple Buffer Overflow Vulnerabilities
This exploit has been taken directly from the COVERT Labs advisory (Full advisory in Credit Section).
The following examples illustrate specific problems identified by COVERT Labs
research.
1) If a CIFS Browse Frame is delivered to UDP port 138, the function FormatBrowserSummary() is called within 'browser.dll'. One specific CIFS Browse Frame, "Become Backup", includes the name of the Browse Server to be promoted. This information is extracted from the UDP datagram for inclusion in the single line summary.
The Browser Server name is passed to the WIN32 API function call OemToChar(), which translates a string from the OEM-defined character set into either an ANSI or a wide-character string. The OemToChar() function stops converting characters when it encounters a null character. The vulnerable FormatBrowserSummary() function in 'browser.dll' calls OemToChar(), converting the server name into a
255 byte character buffer on the stack. Because OemToChar() provides no bounds checking the stack can be overrun with arbitrary values.
2) If an SNMP request is received on UDP port 161, 'snmp.dll' is called. The community name of the SNMP request is extracted from the datagram for the protocol specific summary. The SNMP community name is copied into a stack buffer by 'snmp.dll' using the WIN32 function
wsprintfA(). Because this function call does not provide adequate bounds checking, the stack may be overwritten.
3) If an SMB session is received on TCP port 139, 'smb.dll' is called. This parser contains two vulnerabilities. If an SMB session with a long username or a long filename for a type C transaction is
received, Network Monitor will overwrite its stack frame via an unchecked wsprintfA() call in a manner similar to the vulnerability described in the SNMP parser.
Extracting control of the instruction pointer for each of these vulnerabilities can either be achieved by overwriting the return address and allowing the vulnerable functions to return or by overwriting the Structure Exception Handlers callback pointer and then causing a invalid memory reference.
This exploit has been taken directly from the COVERT Labs advisory (Full advisory in Credit Section).
The following examples illustrate specific problems identified by COVERT Labs
research.
1) If a CIFS Browse Frame is delivered to UDP port 138, the function FormatBrowserSummary() is called within 'browser.dll'. One specific CIFS Browse Frame, "Become Backup", includes the name of the Browse Server to be promoted. This information is extracted from the UDP datagram for inclusion in the single line summary.
The Browser Server name is passed to the WIN32 API function call OemToChar(), which translates a string from the OEM-defined character set into either an ANSI or a wide-character string. The OemToChar() function stops converting characters when it encounters a null character. The vulnerable FormatBrowserSummary() function in 'browser.dll' calls OemToChar(), converting the server name into a
255 byte character buffer on the stack. Because OemToChar() provides no bounds checking the stack can be overrun with arbitrary values.
2) If an SNMP request is received on UDP port 161, 'snmp.dll' is called. The community name of the SNMP request is extracted from the datagram for the protocol specific summary. The SNMP community name is copied into a stack buffer by 'snmp.dll' using the WIN32 function
wsprintfA(). Because this function call does not provide adequate bounds checking, the stack may be overwritten.
3) If an SMB session is received on TCP port 139, 'smb.dll' is called. This parser contains two vulnerabilities. If an SMB session with a long username or a long filename for a type C transaction is
received, Network Monitor will overwrite its stack frame via an unchecked wsprintfA() call in a manner similar to the vulnerability described in the SNMP parser.
Extracting control of the instruction pointer for each of these vulnerabilities can either be achieved by overwriting the return address and allowing the vulnerable functions to return or by overwriting the Structure Exception Handlers callback pointer and then causing a invalid memory reference.
References
Microsoft Network Monitor Multiple Buffer Overflow Vulnerabilities
References:
References: