COMMAND

    Network Monitor

SYSTEMS AFFECTED

    Win95, NT

PROBLEM

    Mnemonix found following.   There is a  problem with both  the SMS
    version of  Network Monitor  and the  version on  the NT  Server 4
    CD-ROM whereby  if it  "sniffs" a  NetBIOS session  request from a
    machine where the NetBIOS Scope ID is 190 or more characters  when
    the capture  is stopped  and the  results are  viewed the  Network
    Monitor  process  (netmon.exe)   experiences  a  memory   problem.
    Depending on whether there are  other open capture windows or  not
    the memory problem manifests itself in a number of different  ways
    - sometimes buffer  overruns, some times  a page fault  and others
    the process  just dies  with no  reason as  to why.   The  problem
    actually stems from the netbios  parser - netbios.dll - not  being
    able to handle the packet when it tries to interpret the contents.

    The impact of this problem can be from a simple Denial of  Service
    to really annoy an admin trying  to troubleshoot a LAN issue -  to
    possible exploitation - especially as Network Monitor is  normally
    run by  an Admin  and conseqently  the netmon.exe  process and any
    child process it spawns will run with Administrative privileges.

    This was tested on NT  Server 4.0 (Service Pack Three  + Hotfixes)
    and Windows 95.

SOLUTION

    Microsoft was informed about this issue.