Bugtraq mailing list archives

[COVERT-2000-05] Microsoft Windows Computer Browser Reset Vulnerability

From: seclabs () NAI COM (COVERT Labs)
Date: Thu, 25 May 2000 19:20:36 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_____________________________________________________________________

                     Network Associates, Inc.
                  COVERT Labs Security Advisory
                          May 25, 2000

            Microsoft Windows Computer Browser Reset

                         COVERT-2000-05
______________________________________________________________________

o Synopsis

The Microsoft Windows implementation of the Browser Protocol contains
an undocumented feature that provides for the remote shutdown of the
Computer Browser Service on a single computer or multiple computers.

RISK FACTOR: MEDIUM
______________________________________________________________________

o Vulnerable Systems

All versions of Microsoft Windows 95, 98, NT and 2000.

______________________________________________________________________

o Vulnerability Information

The publicly available CIFS Browser Protocol specification defines
a set of browse frames delivered on the network over UDP port 138.
One specific frame, however, remains undocumented: the
"ResetBrowser".
This browser frame is decoded by Microsoft's Network Monitor, and
generated by the resource kit utility "browstat.exe" using the
tickle option. Other CIFS implementations such as SAMBA also contain
references to the ResetBrowser frame.

While the entire CIFS Browser Protocol is unauthenticated allowing
many avenues of attack, the ResetBrowser frame presents a unique
opportunity. Creation of the browse frame allows three options:

o stop the browser from being a master
o reset the entire browser state
o shut down the browser

The ResetBrowser has the potential to either shut down the Computer
Browser on a Windows host or to reset its state.  This can provide
an opportunity for a denial of service attack or allow an attacker to
selectively shut down a specific browser (or a number of browsers)
as part of a larger attack on the name and service resolution
systems of a Windows domain.

Adding to the denial of service implications, the continual delivery
of this browse frame to a domain's NetBIOS name will reset the
Computer Browser Service on all hosts in the domain within broadcast
range.  Accessing information from the Browse List through such
utilities as Network Neighborhood can be restricted if not denied
for a large number of hosts in an efficient manner.

The unauthenticated CIFS Browsing Protocol is UDP based, ensuring
that the ResetBrowser frame can be easily spoofed across routers.

______________________________________________________________________

o Resolution

Microsoft has released a patch for this vulnerability.  The patch can
be found at:

Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21397

Windows 2000

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21298

For more information, their security bulletin can be found at:

http://www.microsoft.com/technet/security/bulletin/ms00-036.asp

______________________________________________________________________

o Credits

The discovery and documentation of this vulnerability was conducted
by Anthony Osborne at the COVERT Labs of PGP Security, Inc.

______________________________________________________________________

o Contact Information

For more information about the COVERT Labs at PGP Security, visit our
website at http://www.nai.com/covert or send e-mail to covert () nai com

______________________________________________________________________

o  Legal Notice

The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc.  It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.

Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries.  All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.

______________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOS3fdKF4LLqP1YESEQIlugCeImXCfvmFzK3Xx+biVLBIE3npsToAoJhH
z6vJhNWWaa+PQHOk7ZsJGTOz
=IXpr
-----END PGP SIGNATURE-----

Current thread:

[COVERT-2000-05] Microsoft Windows Computer Browser Reset Vulnerability COVERT Labs (May 25)
- new vulnerability in Netscape effectively disables SSL server auth Kevin Fu (May 26)
- Microsoft Security Bulletin (MS00-036) Microsoft Product Security (May 26)
  - Re: Microsoft Security Bulletin (MS00-036) Matt (May 26)
  - [TL-Security-Announce] gpm TLSA2000011-1 Katherine M. Moussouris (May 26)
  - Revision 2: Analysis of jolt2.c (MS00-029) Mikael Olsson (May 27)
- Re: [COVERT-2000-05] Microsoft Windows Computer Browser Reset Vulnerability Vladimir Dubrovin (May 26)