COMMAND
Network Monitor
SYSTEMS AFFECTED
WinNT4 SRV, TSE, and EE, Win2000 Srv, AS and DS, SMS 1.2 and 2.0
PROBLEM
IIS and COVERT found the same vulnerability. Following is based
on Internet Security Systems Security Advisory. ISS has discovered
a buffer overflow vulnerability in Microsoft's Network Monitor
utility. The vulnerability allows code to be executed on the
remote computer with the privilege levels of the current user.
Administrative privileges are required to run Network Monitor.
Network Monitor is a network administration tool installed as an
option with Microsoft Windows NT 4.0 and Windows 2000. Network
Monitor allows administrators to monitor network traffic. This
vulnerability affects both basic and full versions of Network
Monitor. The basic version is shipped with Windows NT 4.0 and
Windows 2000 servers and allows an administrator to gather data
sent directly to his or her computer. The full version of Network
Monitor ships with Systems Management Server (SMS) and puts the
network card into promiscuous mode and can gather data sent over
an entire network segment.
The vulnerability is caused by a remotely exploitable buffer
overflow condition in one of Network Monitor's protocol parsers.
A protocol parser is a dynamic-link library (.dll) that identifies
and analyzes protocols that have been used to send data over the
network. Information about these protocols appears when captured
data is displayed in Network Monitor's Frame Viewer window.
Each protocol that Network Monitor supports has a corresponding
parser. When Network Monitor captures HTTP traffic, the HTTP
parser interprets the data for display. Network Monitor will
crash or exit when malformed data is captured and parsed. This
buffer overflow allows a remote attacker to gain privileged access
and execute arbitrary code on any computer running Network Monitor
that displays this captured data.
Following is based on a COVERT Security Advisory COVERT-2000-11.
Individual packets received from the network are parsed to
provide a readable representation in the user interface. Each
application level protocol is parsed by a separate dynamic linked
library within Network Monitor. One of the vulnerable libraries,
'browser.dll', is documented in the samples section of the Visual
C++ documentation in the MSDN library.
Multiple stack overflows in various function calls within Network
Monitor's parsing libraries may allow remote attackers to gain
control of the Network Monitor application and execute arbitrary
code.
When a captured session is viewed in Network Monitor's user
interface, a single line summary of protocol specific data is
displayed. Analysis of a selection of protocol specific libraries
has identified a practice of utilizing insecure string handling
functions creating numerous remote vulnerabilities. The following
examples illustrate specific problems identified by COVERT Labs
research.
1) If a CIFS Browse Frame is delivered to UDP port 138, the
function FormatBrowserSummary() is called within 'browser.dll'.
One specific CIFS Browse Frame, "Become Backup", includes the
name of the Browse Server to be promoted. This information is
extracted from the UDP datagram for inclusion in the single
line summary.
The Browser Server name is passed to the WIN32 API function
call OemToChar(), which translates a string from the
OEM-defined character set into either an ANSI or a
wide-character string. The OemToChar() function stops
converting characters when it encounters a null character. The
vulnerable FormatBrowserSummary() function in 'browser.dll'
calls OemToChar(), converting the server name into a 255 byte
character buffer on the stack. Because OemToChar() provides no
bounds checking the stack can be overrun with arbitrary values.
2) If an SNMP request is received on UDP port 161, 'snmp.dll' is
called. The community name of the SNMP request is extracted
from the datagram for the protocol specific summary. The SNMP
community name is copied into a stack buffer by 'snmp.dll'
using the WIN32 function wsprintfA(). Because this function
call does not provide adequate bounds checking, the stack may
be overwritten.
3) If an SMB session is received on TCP port 139, 'smb.dll' is
called. This parser contains two vulnerabilities. If an SMB
session with a long username or a long filename for a type C
transaction is received, Network Monitor will overwrite its
stack frame via an unchecked wsprintfA() call in a manner
similar to the vulnerability described in the SNMP parser.
Extracting control of the instruction pointer for each of these
vulnerabilities can either be achieved by overwriting the return
address and allowing the vulnerable functions to return or by
overwriting the Structure Exception Handlers callback pointer and
then causing a invalid memory reference.
Discovery and documentation of these vulnerabilities were
conducted by Anthony Osborne and Barnaby Jack at the COVERT Labs
of PGP Security.
SOLUTION
Patch availability:
- Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487
- Microsoft Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.
- Microsoft Windows 2000 Server, Advanced Server and Datacenter Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485
- Microsoft Systems Management Server 1.2:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25505
- Microsoft Systems Management Server 2.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25514
Customers who are running SMS should apply the SMS patch,
regardless of the platform they are running on. Customers who are
not running SMS but are using an affected server should apply the
operating system patch.
The patch for Windows NT 4.0 Server and Windows NT 4.0 Server,
Enterprise Edition, should be applied atop Service Pack 6a. It
will be included in Service Pack 7.
The patch for Windows NT 4.0 Server, Terminal Server Edition,
should be applied atop Service Pack 6. It will be included in
Service Pack 7.
The patch for Windows 2000 can be applied to computers running
Windows 2000 "Gold" or Service Pack 1. It will be included in
Windows Service Pack 2.
The patch for SMS 1.2 should be applied atop SMS 1.2 SP 4.
The patch for SMS 2.0 can be applied to SMS 2.0 Gold, Service
Pack 1, or Service Pack 2. It will be included in Service Pack 3.