Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

NetBIOS name encoding

From: David Fifield <david () bamsoftware com>
Date: Mon, 6 Jul 2009 12:19:36 -0600
Hi,

While investigating the safety of UDP payloads this morning I found that
the NetBIOS name resolution service uses the same message format as DNS.
RFC 1002, section 4.1 says

        The NetBIOS name representation in all NetBIOS packets (for
        NAME, SESSION, and DATAGRAM services) is defined in the Domain
        Name Service RFC 883 as "compressed" name messages.

The "compressed" is what interests me, because DNS name decompression
has already been the source of two bugs in NSE.

Fix for stack overflow in dns.lua
http://seclists.org/nmap-dev/2008/q4/0526.html
Stack overflow in dns-zone-transfer.nse
http://seclists.org/nmap-dev/2009/q1/0317.html

I tried exploiting nbstat.exe in Windows XP with an Ncat server sending
malformed messages, but I couldn't get a hang or anything. So I'm asking
mainly of Ron Bowes but also of anyone else who might know: Does NetBIOS
really support name compression, and is it used in practice? If so,
there are probably implementations suceptible to this flaw.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: