Re: NetBIOS name encoding

[David Fifield <david () bamsoftware com>]

On Mon, Jul 06, 2009 at 06:25:11PM -0500, Ron wrote:
> David Fifield wrote:
> > While investigating the safety of UDP payloads this morning I found that
> > the NetBIOS name resolution service uses the same message format as DNS.
> > RFC 1002, section 4.1 says
> >
> >     The NetBIOS name representation in all NetBIOS packets (for
> >     NAME, SESSION, and DATAGRAM services) is defined in the Domain
> >     Name Service RFC 883 as "compressed" name messages.
> >
> > The "compressed" is what interests me, because DNS name decompression
> > has already been the source of two bugs in NSE.
> >
> > Fix for stack overflow in dns.lua
> > http://seclists.org/nmap-dev/2008/q4/0526.html
> > Stack overflow in dns-zone-transfer.nse
> > http://seclists.org/nmap-dev/2009/q1/0317.html
> >
> > I tried exploiting nbstat.exe in Windows XP with an Ncat server sending
> > malformed messages, but I couldn't get a hang or anything. So I'm asking
> > mainly of Ron Bowes but also of anyone else who might know: Does NetBIOS
> > really support name compression, and is it used in practice? If so,
> > there are probably implementations suceptible to this flaw.
>
> While working on NetBIOS/SMB, I vaguely remember something along the
> lines of, "if the first bit is 1, then instead of a string it's a 31-bit
> integer indicating where to find the string". I honestly don't remember
> where that was, though, and I can't seem to find it in my code.
>
> Knowing how I code, I likely implemented it to take the string at he new
> location, no matter what. I don't think it'd recurse in my
> implementation. But it's possible that others might implement it
> incorrectly.

I didn't see support for it in your libraries, but I wondered whether it
was because it's not used in practice.

To implement DNS decompression correctly you need to use recursion or at
least a stack of some sort, because one jump can itself contain a jump,
and after each one you have to return to where you came from so you can
process the next label. Brandon Enright found a DNS server that included
four legitimate nested jumps in its replies. You just have to put a
limit on it to rule out infinite recursion.

It's okay, I think, not to support this if it's not used in practice. It
would be a good place to look for vulnerabilities though.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org