[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Multiple Network Monitor Overflows

Title: Multiple Network Monitor Overflows
Released by: Covert Labs
Date: 1st November 2000
Printable version: Click here

Hash: SHA1


                     Network Associates, Inc.

                  COVERT Labs Security Advisory

                        November 1, 2000

               Multiple Network Monitor Overflows



o Synopsis

Multiple buffer overflows in the Windows NT Network Monitor allow a

remote attacker to execute arbitrary code or deny administrators the

ability to view capture files.  This vulnerability has been assigned

a CVE candidate number of CAN-2000-0885.



o Vulnerable Systems

Network Monitor included with SMS 2.0 and 1.2.

Network Monitor included with all versions of Windows NT/2000.


o Vulnerability Overview

The Windows Network Monitor tool allows an administrator to capture

network traffic destined to the local host or all traffic on a local

network.  Network Monitor is designed to capture network traffic

before the information can be viewed in the graphical interface.

Individual packets received from the network are parsed to provide a

readable representation in the user interface. Each application level

protocol is parsed by a separate dynamic linked library within

Network Monitor. One of the vulnerable libraries, 'browser.dll', is

documented in the samples section of the Visual C++ documentation in

the MSDN library.

Multiple stack overflows in various function calls within Network

Monitor's parsing libraries may allow remote attackers to gain

control of the Network Monitor application and execute arbitrary



o Detailed Information

When a captured session is viewed in Network Monitor's user

interface, a single line summary of protocol specific data is

displayed.  Analysis of a selection of protocol specific libraries

has identified a practice of utilizing insecure string handling

functions creating numerous remote vulnerabilities.  The following

examples illustrate specific problems identified by COVERT Labs


1)  If a CIFS Browse Frame is delivered to UDP port 138, the function

FormatBrowserSummary() is called within 'browser.dll'.  One specific

CIFS Browse Frame, "Become Backup", includes the name of the Browse

Server to be promoted.  This information is extracted from the UDP

datagram for inclusion in the single line summary.

The Browser Server name is passed to the WIN32 API function call

OemToChar(), which translates a string from the OEM-defined character

set into either an ANSI or a wide-character string.  The OemToChar()

function stops converting characters when it encounters a null

character.  The vulnerable FormatBrowserSummary() function in

'browser.dll' calls OemToChar(), converting the server name into a

255 byte character buffer on the stack. Because OemToChar() provides

no bounds checking the stack can be overrun with arbitrary values.

2)  If an SNMP request is received on UDP port 161, 'snmp.dll' is

called.  The community name of the SNMP request is extracted from the

datagram for the protocol specific summary. The SNMP community name

is copied into a stack buffer by 'snmp.dll' using the WIN32 function

wsprintfA().  Because this function call does not provide adequate

bounds checking, the stack may be overwritten.

3)  If an SMB session is received on TCP port 139, 'smb.dll' is

called.  This parser contains two vulnerabilities.  If an SMB session

with a long username or a long filename for a type C transaction is

received, Network Monitor will overwrite its stack frame via an

unchecked wsprintfA() call in a manner similar to the vulnerability

described in the SNMP parser.

Extracting control of the instruction pointer for each of these

vulnerabilities can either be achieved by overwriting the return

address and allowing the vulnerable functions to return or by

overwriting the Structure Exception Handlers callback pointer and

then causing a invalid memory reference.


o Resolution

After notification of these specific issues and further discussion of

the security impact of coding practices in Network Monitor, Microsoft

has completed a full audit of all parsers and has issued a patch to

address the vulnerabilities found.  Platform-specific patches can be

obtained at one of the following addresses:

Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise



Microsoft Windows NT 4.0 Server, Terminal Server Edition:

To be released shortly.

Microsoft Windows 2000 Server, Advanced Server and Datacenter Server:


Microsoft Systems Management Server 1.2:


Microsoft Systems Management Server 2.0:



o Credits

Discovery and documentation of these vulnerabilities were conducted

by Anthony Osborne and Barnaby Jack at the COVERT Labs of PGP



o Contact Information

For more information about the COVERT Labs at PGP Security, visit our

website at http://www.pgp.com/covert or send e-mail to covert@pgp.com


o  Legal Notice

The information contained within this advisory is Copyright (C) 2000

Networks Associates Technology Inc.  It may be redistributed provided

that no fee is charged for distribution and that the advisory is not

modified in any way.

Network Associates and PGP are registered Trademarks of Network

Associates, Inc. and/or its affiliated companies in the United States

and/or other Countries.  All other registered and unregistered

trademarks in this document are the sole property of their respective




Version: PGP 6.5.1

Comment: Crypto Provided by Network Associates <http://www.nai.com>





(C) 1999-2000 All rights reserved.