[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network Monitor

Title: Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network Monitor
Released by: ISS
Date: 1st November 2000
Printable version: Click here

Internet Security Systems Security Advisory

November 1, 2000

Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network



Internet Security Systems (ISS) X-Force has discovered a buffer overflow

vulnerability in Microsoft's Network Monitor utility. The vulnerability

allows code to be executed on the remote computer with the privilege

levels of the current user. Administrative privileges are required to

run Network Monitor.

Affected Versions:

- -Microsoft Windows NT 4.0 Server, Terminal Server Edition, and

 Enterprise Edition.

- -Windows 2000 Server, Advanced Server, and Datacenter Server

- -Microsoft Systems Management Server versions 1.2 and 2.0


Network Monitor is a network administration tool installed as an option

with Microsoft Windows NT 4.0 and Windows 2000. Network Monitor allows

administrators to monitor network traffic. This vulnerability affects

both basic and full versions of Network Monitor. The basic version is

shipped with Windows NT 4.0 and Windows 2000 servers and allows an

administrator to gather data sent directly to his or her computer. The

full version of Network Monitor ships with Systems Management Server

(SMS) and puts the network card into promiscuous mode and can gather

data sent over an entire network segment.

The vulnerability is caused by a remotely exploitable buffer overflow

condition in one of Network Monitor's protocol parsers. A protocol

parser is a dynamic-link library (.dll) that identifies and analyzes

protocols that have been used to send data over the network. Information

about these protocols appears when captured data is displayed in Network

Monitor's Frame Viewer window.

Each protocol that Network Monitor supports has a corresponding parser.

When Network Monitor captures HTTP traffic, the HTTP parser interprets

the data for display. Network Monitor will crash or exit when malformed

data is captured and parsed. This buffer overflow allows a remote

attacker to gain privileged access and execute arbitrary code on any

computer running Network Monitor that displays this captured data.


Microsoft recommends that customers apply the following patches:

Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise



Microsoft Windows 2000 Server, Advanced Server and Datacenter Server:


Microsoft Systems Management Server 1.2:


Microsoft Systems Management Server 2.0:


For more information on this vulnerability, please refer to the

Microsoft Security Bulletin at:


Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the

name CAN-2000-0817 to this issue. This is a candidate for inclusion in

the CVE list (http://cve.mitre.org), which standardizes names for

security problems.

The ISS SAFEsuite assessment software, Internet Scanner, will be updated

to detect this vulnerability in an upcoming X-Press Update.


This vulnerability was discovered and researched by Justine Bone of the

ISS X-Force. Internet Security Systems would like to thank Microsoft for

their response and handling of this vulnerability.

About Internet Security Systems (ISS)

Internet Security Systems (ISS) (NASDAQ: ISSX) is the leading global

provider of security management solutions for the Internet. By combining

best of breed products, security management services, aggressive

research and development, and comprehensive educational and consulting

services, ISS is the trusted security advisor for thousands of

organizations around the world looking to protect their mission critical

information and networks.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert

electronically. It is not to be edited in any way without express

consent of the X-Force. If you wish to reprint the whole or any part of

this Alert in any other medium excluding electronic medium, please

e-mail xforce@iss.net for permission.


The information within this paper may change without notice. Use of this

information constitutes acceptance for use in an AS IS condition. There

are NO warranties with regard to this information. In no event shall the

author be liable for any damages whatsoever arising out of or in

connection with the use or spread of this information. Any use of this

information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as

well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force

xforce@iss.net mailto:xforce@iss.net of Internet Security Systems,



Version: 2.6.3a

Charset: noconv







(C) 1999-2000 All rights reserved.