[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Windows NetBIOS Unsolicited Cache Corruption

Title: Windows NetBIOS Unsolicited Cache Corruption
Released by: Covert Labs
Date: 29th August 2000
Printable version: Click here

Hash: SHA1


                     Network Associates, Inc.

                  COVERT Labs Security Advisory

                        August 29, 2000

           Windows NetBIOS Unsolicited Cache Corruption



o Synopsis

The Microsoft Windows implementation of the NetBIOS cache allows a

remote attacker to insert and flush dynamic cache entries as well as

overwrite static entries through unsolicited unicast or broadcast UDP

datagrams. As a result, remote attackers either on the local subnet

or across the Internet may subvert the NetBIOS Name to IP address

resolution process by redirecting any NetBIOS Name to any arbitrary

IP address under the control of the attacker.

Note:  According to Microsoft, there will not be a patch released

for this vulnerability.  The resolution section of this advisory

lists several options for end users to minimize its impact.



o Vulnerable Systems

All versions of Microsoft Windows 95, 98, NT and 2000 are susceptible

to cache corruption.


o Vulnerability Overview

The NetBIOS Name resolution process resolves NetBIOS Names into IP

addresses for many operations, including session establishment.

RFC 1001 (15.1.8) suggests that "an end-node may maintain a local

cache of NetBIOS name to IP address translation entries".  This

NetBIOS cache is examined before queries are passed to support

services.  The current contents can be examined via "nbtstat -c".

The CIFS family of protocols includes a browsing protocol that allows

for the dynamic discovery of servers running particular services.

The CIFS Browsing protocol supplies a dynamically generated Browse

List of network resources.  The Network Neighborhood in Windows NT

4 and My Network Places in Windows 2000 provide a basic interface

to some of the information provided in a Browse List.

Interactions between Microsoft's implementation of NetBIOS and the

CIFS Browsing Protocols have created vulnerabilities allowing a

remote attacker either on a local subnet or across the internet to

subvert the NetBIOS Name resolution process.


o Vulnerability Information

The Microsoft designed CIFS Browser Protocol defines a number of

Browse Frames encapsulated within a NetBIOS datagram which is

defined in RFC 1002 (4.4). The NetBIOS datagram header contains a

source and destination NetBIOS name, as well as a second source IP

address, in addition to the IP headers.

When a Browse Frame Request is received on UDP port 138, Microsoft's

implementation extracts information from the NetBIOS datagram header

and stores the information in the NetBIOS cache.  The source NetBIOS

Name and source IP address from the NetBIOS datagram header are

blindly extracted from the UDP datagram and inserted into the NetBIOS


As an interesting side note, when a Browse Frame Response is

generated the NetBIOS cache is examined to resolve the source NetBIOS

name of the previous request and delivered to that IP address.

Because the NetBIOS cache entry for the source NetBIOS name is under

control of the attacker, the response can be delivered to an

arbitrary host.

It is important to note that dynamic NetBIOS cache entries can be

inserted in addition to overwriting static entries imported from the

LMHOSTS file.  Furthermore, the NetBIOS cache is corrupted with an

unsolicited UDP datagram, removing the requirement for attackers to

predict Transaction IDs.  With the NetBIOS cache under the control

of a remote attacker many opportunities are available, one of the

most obvious is to subvert outbound SMB connections to an arbitrary

address.  A rogue SMB server would then be able to capture NT

username and password hashes as presented.

In addition to inserting entries into the NetBIOS cache it is also

possible to flush dynamic entries.  RFC 1001 (15.1.8) states that

"a node ought to flush any cache information associated with an IP

address if the node receives any information indicating that there

may be any possibility of trouble with the node at that IP address".

One possible way to flush dynamic NetBIOS cache entries is to

deliver an unsolicited Positive Name Query response that provides

a different IP address to NetBIOS name mapping to the entry in the

NetBIOS cache.

In a manner similar to DNS, the NetBIOS name resolution process

utilizes a 16-bit Transaction ID to associate requests and

responses.  The Microsoft implementation of NetBIOS contains an

easily predictable Transaction ID, although the previously discussed

vulnerability is a much more effective method of inserting entries

into the NetBIOS cache.


o Resolution

COVERT Labs have worked with Microsoft in accordance with Microsoft's

Security Policies in an attempt to provide customers with a patch to

eliminate this vulnerability.  Despite our best efforts and extensive

discussions, Microsoft believes that this issue is a result of the

unauthenticated nature of the NetBIOS protocol and will not be

providing a security patch.

To work around the NetBIOS cache corruption security vulnerability

there are a number of potential solutions. The most effective is to

upgrade to Windows 2000 and "Disable NetBIOS over TCP/IP". Obviously,

this is an impractical solution for many organizations.  Some other

potential solutions include:

 o Block ports 135-139 and 445, both UDP and TCP, at your network

   perimeter to protect from external attackers.

 o Because NetBIOS name resolution (either through broadcast or WINS)

   is subject to this cache corruption attack, it should not be

   relied upon to perform hostname to IP address resolution.

 o Disable the "WINS Client" binding including the NetBIOS Interface,

   Server and Workstation services. It is important to disable all

   services that register a NetBIOS name as shown by nbtstat -n.

   Selectively unbinding the "NetBIOS interface" or other specific

   services such as Server or Workstation will still allow attackers

   to talk to a NetBIOS name and corrupt the NetBIOS cache.

 o It is important to note the Computer Browser Service is

   independent of Browse Frame processing and generation (at least

   within the bounds of this vulnerability). Disabling the service

   has no impact upon this vulnerability.


o Credits

The discovery and documentation of this vulnerability was conducted

by Anthony Osborne at the COVERT Labs of PGP Security.


o Contact Information

For more information about the COVERT Labs at PGP Security, visit our

website at http://www.pgp.com/covert or send e-mail to covert@nai.com


o Legal Notice

The information contained within this advisory is Copyright (C) 2000

Networks Associates Technology Inc.  It may be redistributed provided

that no fee is charged for distribution and that the advisory is not

modified in any way.

Network Associates and PGP are registered Trademarks of Network

Associates, Inc. and/or its affiliated companies in the United States

and/or other Countries.  All other registered and unregistered

trademarks in this document are the sole property of their respective




Version: PGP 6.5.1

Comment: Crypto Provided by Network Associates <http://www.nai.com>





(C) 1999-2000 All rights reserved.