Nmap Development mailing list archives
NetBIOS name encoding
From: David Fifield <david () bamsoftware com>
Date: Mon, 6 Jul 2009 12:19:36 -0600
Hi, While investigating the safety of UDP payloads this morning I found that the NetBIOS name resolution service uses the same message format as DNS. RFC 1002, section 4.1 says The NetBIOS name representation in all NetBIOS packets (for NAME, SESSION, and DATAGRAM services) is defined in the Domain Name Service RFC 883 as "compressed" name messages. The "compressed" is what interests me, because DNS name decompression has already been the source of two bugs in NSE. Fix for stack overflow in dns.lua http://seclists.org/nmap-dev/2008/q4/0526.html Stack overflow in dns-zone-transfer.nse http://seclists.org/nmap-dev/2009/q1/0317.html I tried exploiting nbstat.exe in Windows XP with an Ncat server sending malformed messages, but I couldn't get a hang or anything. So I'm asking mainly of Ron Bowes but also of anyone else who might know: Does NetBIOS really support name compression, and is it used in practice? If so, there are probably implementations suceptible to this flaw. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- NetBIOS name encoding David Fifield (Jul 06)
- Re: NetBIOS name encoding Ron (Jul 06)
- Re: NetBIOS name encoding David Fifield (Jul 06)
- Re: NetBIOS name encoding Ron (Jul 06)