Alert: Windows NT Browser Service DoS

[CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)]

Cerberus Information Security Advisory (CISADV000527)
http://www.cerberus-infosec.co.uk/advisories.html

Released: 27th May 2000
Name: Windows Browser Service DoS
Affected Systems     : Windows NT 4
Issue: Attackers can "lock" boxes and consume
network bandwidth
Author: David Litchfield (mnemonix () globalnet co uk)

Description
***********
The Cerberus Security Team has discovered a serious security flaw within the
Computer Broswer Service on Windows NT 4 that can lead to a total network
failure due to bandwidth starvation.

Details
*******
On Windows NT 4 Workstation and Server the Computer Browser Service is
started by default. The service exists to help users of a network to be able
to locate resources. The design of the service allows for a "master browser"
which maintains a list of all of the NetBIOS based computers on the network.
This master browser feeds other computers marked as backup browsers with
this list. When a client makes a request for this list it is sent a copy of
it by a backup browser. One of the problems with the browser service is that
an attacker can spoof entries, swelling the size of the list to well over
50,000 hosts by firing off Host Announcments to the master browser. This
massive list is then passed onto the backup browsers and is further sent out
across the network for every client request for the list. The network is
soon bogged down. Because the service runs over UDP it is also possible to
attack a specific host by spoofing one's IP address and sending several
requests for the list. The browse list would then be sent to that host
several times.

Solution:
*********
Microsoft has provided a patch that eases this issue - more details
available from
http://www.microsoft.com/technet/security/bulletin/ms00-036.asp
Cerberus advises customers using NT 4 to install the patch.

Vendor Status
*************
Microsoft were informed about this issue in the middle of last year and have
made a patch available from their website.

About Cerberus Information Security, Ltd
*****************************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 70 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0)208 395 4980.

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd