COMMAND
Computer Browser Service
SYSTEMS AFFECTED
All versions of Microsoft Windows 95, 98, NT and 2000
PROBLEM
Following is based on Network Associates COVERT Labs Security
Advisory. The Microsoft Windows implementation of the Browser
Protocol contains an undocumented feature that provides for the
remote shutdown of the Computer Browser Service on a single
computer or multiple computers.
The publicly available CIFS Browser Protocol specification defines
a set of browse frames delivered on the network over UDP port 138.
One specific frame, however, remains undocumented: the
"ResetBrowser". This browser frame is decoded by Microsoft's
Network Monitor, and generated by the resource kit utility
"browstat.exe" using the tickle option. Other CIFS
implementations such as SAMBA also contain references to the
ResetBrowser frame.
While the entire CIFS Browser Protocol is unauthenticated allowing
many avenues of attack, the ResetBrowser frame presents a unique
opportunity. Creation of the browse frame allows three options:
o stop the browser from being a master
o reset the entire browser state
o shut down the browser
The ResetBrowser has the potential to either shut down the
Computer Browser on a Windows host or to reset its state. This
can provide an opportunity for a denial of service attack or
allow an attacker to selectively shut down a specific browser (or
a number of browsers) as part of a larger attack on the name and
service resolution systems of a Windows domain.
Adding to the denial of service implications, the continual
delivery of this browse frame to a domain's NetBIOS name will
reset the Computer Browser Service on all hosts in the domain
within broadcast range. Accessing information from the Browse
List through such utilities as Network Neighborhood can be
restricted if not denied for a large number of hosts in an
efficient manner.
The unauthenticated CIFS Browsing Protocol is UDP based, ensuring
that the ResetBrowser frame can be easily spoofed across routers.
The discovery and documentation of this vulnerability was
conducted by Anthony Osborne at the COVERT Labs of PGP Security.
We can add to this following that was found by David Litchfield
of Cerberus Information Security The "HostAnnouncement Flooding"
vulnerability, which does not affect Windows 2000. On Windows NT
4 Workstation and Server the Computer Browser Service is started
by default. The service exists to help users of a network to be
able to locate resources. The design of the service allows for a
"master browser" which maintains a list of all of the NetBIOS
based computers on the network. This master browser feeds other
computers marked as backup browsers with this list. When a client
makes a request for this list it is sent a copy of it by a backup
browser. One of the problems with the browser service is that an
attacker can spoof entries, swelling the size of the list to well
over 50,000 hosts by firing off Host Announcments to the master
browser. This massive list is then passed onto the backup
browsers and is further sent out across the network for every
client request for the list. The network is soon bogged down.
Because the service runs over UDP it is also possible to attack a
specific host by spoofing one's IP address and sending several
requests for the list. The browse list would then be sent to
that host several times.
SOLUTION
If a firewall were in place and blocking port 138 UDP, neither
vulnerability could be exploited by an external user. Even an
internal user could only attack browsers on the same subnet as
his machine. Normal administrative tools would allow the
administrator to determine who had mounted the attack.
Patch availability:
- Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21397
- Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21298
For some wierd reason, MS won't do any patches for Win9x and
WinNT 4TSE platforms.