[NT] Flaw in NetBIOS Could Lead to Information Disclosure

From: SecuriTeam (support_at_securiteam.com)
Date: 09/04/03

  • Next message: SecuriTeam: "[NT] Buffer Overrun in WordPerfect Converter Could Allow Code Execution" 
    To: list@securiteam.com
Date: 4 Sep 2003 10:06:10 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Flaw in NetBIOS Could Lead to Information Disclosure
    ------------------------------------------------------------------------

    SUMMARY

    Network basic input/output system (NetBIOS) is an application-programming
    interface (API) that can be used by programs on a local area network
    (LAN). NetBIOS provides programs with a uniform set of commands for
    requesting the lower-level services required to manage names, conduct
    sessions, and send datagrams between nodes on a network.

    This vulnerability involves one of the NetBT (NetBIOS over TCP) services,
    namely, the NetBIOS Name Service (NBNS). NBNS is analogous to DNS in the
    TCP/IP world and it provides a way to find a system's IP address given its
    NetBIOS name, or vice versa.

    Under certain conditions, the response to a NetBT Name Service query may,
    in addition to the typical reply, contain random data from the target
    system's memory. This data could, for example, be a segment of HTML if the
    user on the target system was using an Internet browser, or it could
    contain other types of data that exist in memory at the time that the
    target system responds to the NetBT Name Service query.

    An attacker could seek to exploit this vulnerability by sending a NetBT
    Name Service query to the target system and then examine the response to
    see if it included any random data from that system's memory.

    If best security practices have been followed and port 137 UDP has been
    blocked at the firewall, Internet based attacks would not be possible.

    DETAILS

    Affected Software:
     * Microsoft Windows NT 4.0® Server
     * Microsoft Windows NT 4.0, Terminal Server Edition
     * Microsoft Windows 2000
     * Microsoft Windows XP
     * Microsoft Windows Server 2003

    Not Affected Software:
     * Microsoft Windows Millennium Edition

    Mitigating factors:
     * Any information disclosure would be completely random.

     * By default, the Internet Connection Firewall (ICF), which is available
    with Windows XP and Windows Server 2003, blocks the ports that are used by
    NetBT.

     * To exploit this vulnerability, an attacker would have to be able to
    send a specially-crafted NetBT request to port 137 on the target system
    and then examine the response to see whether any random data from that
    system's memory is included. In intranet environments, these ports are
    usually accessible, but systems that are connected to the Internet usually
    have these ports blocked by a firewall.

    Patch availability:
    Download locations for this patch
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=A59CC2AC-F182-4CD5-ACE7-3D4C2E3F1326&displaylang=en> Windows Server 2003
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=140CF7BE-0371-4D17-8F4C-951B76AC3024&displaylang=en> Windows Server 2003 64 bit Edition
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=1C9D8E86-5B8C-401A-88B2-4443FFB9EDC3&displaylang=en> Windows XP
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=378D4B58-BF2C-4406-9D88-E6A3C4601795&displaylang=en> Windows XP 64 bit Edition
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=D0564162-4EAE-42C8-B26C-E4D4D496EAD8&displaylang=en> Windows 2000
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=F131D63A-F74F-4CAF-95BD-D7FA37ADCF38&displaylang=en> Windows NT 4 Server
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=22379951-64A9-446B-AC8F-3F2F080383A9&displaylang=en> Windows NT 4 Terminal Server Edition

    What's the scope of the vulnerability?
    This is an Information Disclosure vulnerability that could enable an
    attacker to receive arbitrary or random data from the memory of another
    computer system that is on a network.

    Under certain conditions, the response to a NetBT Name Service query may,
    in addition to the normal reply, contain random data from the target
    system's memory. This data could, for example, be a segment of HTML if the
    user on the target system were using an Internet browser at the time that
    the target system responds to the NetBT Name Service query. It could also
    contain other types of data, depending on what data exists in memory at
    the time that the target system responds to the NetBT Name Service query.
    To exploit the vulnerability, the attacker must be able to access the
    target system over NetBT.

    The potential information disclosure cannot be directed or controlled. Any
    data that an attacker might receive would be very arbitrary in its nature
    because the information disclosure is limited to random segments of data
    that are in memory.

    An attacker could increase the probability of this memory disclosure by
    repeatedly sending NetBT Name Service queries to the system. However, the
    information that could be disclosed would still be random and would depend
    on how the user was using their system at the time of the attack.

    What is NetBIOS?
    NetBIOS is a set of networking services for computer networking. NetBIOS
    can be implemented on top of a number of different networking protocols,
    such as TCP/IP.

    What is NetBT?
    NetBT is the protocol that describes how NetBIOS services are provided
    over a TCP/IP network. For more information, visit the following Microsoft
    Web site: NetBIOS over TCP/IP (NetBT) concepts

    What causes the vulnerability?
    If the network datagram (also referred to as a packet) requires padding,
    the padding should be blank. A vulnerability results because of a flaw in
    NetBT that can cause arbitrary data to be used for padding instead of
    blank data.

    What is a datagram?
    A datagram is a self-contained, independent piece of data that carries
    sufficient information to be routed from the source to the destination
    computer without relying on earlier exchanges between these source and
    destination over the transporting network. In short, a datagram is what
    TCP/IP divides files and other types of content into before it routes it
    over a particular network.

    What is wrong with NetBT?
    There is a flaw in the way that NetBT pads datagrams. When NetBT
    constructs Name Service replies it allocates a larger buffer to contain
    the information that is required for the response. This buffer is not
    properly initialized before it is used to make sure that it is blank.
    NetBT will write only the amount of data that is required for the response
    to the buffer but NetBT will read all of the contents of the buffer when
    it sends the response to the requesting system. As a result, the padding -
    the difference between the data written to and then read from the buffer -
    could be arbitrary data from a previous memory operation because the
    buffer was not first initialized.

    What could this vulnerability enable an attacker to do?
    This vulnerability could enable an attacker to read some of the content of
    a target system's memory by examining the network for NetBT Name Service
    query replies. The attacker would have no way to determine what memory
    content would be disclosed, nor could an attacker force particular data to
    be exposed.

    How could an attacker exploit this vulnerability?
    An attacker could seek to exploit this vulnerability by sending NetBT Name
    Service queries to a target system and then examining the responses for
    arbitrary data from the target system's memory.

    How much data could be disclosed?
    The amount of data that may be disclosed is small; typically, the padding
    that is required is 15 bytes or less.

    Workarounds:
    Are there any workarounds that I can use to help block the exploitation of
    this vulnerability while I test or evaluate the patch?
    Yes. Although Microsoft urges all customers to apply the patch there are a
    number of workarounds that you can apply in the interim to help block
    exploitation of this vulnerability. There is no guarantee that the
    workarounds will block all possible attack vectors.
    Note that these workarounds should be considered temporary measures
    because they only help block paths of attack instead of correcting the
    underlying vulnerability.

     * Block TCP and UDP on port 137 at your firewall on the affected machines
    The NetBT Name Service uses this port. Blocking TCP and UDP at the
    firewall will help prevent systems that are behind the firewall from being
    attacked by attempts to exploit these vulnerabilities. Use Internet
    Connection Firewall (which is only available with Windows XP and Windows
    Server 2003). If you use the Internet Connection Firewall that is included
    with Windows XP or Windows Server 2003 to help protect your Internet
    connection, it will, by default block inbound NetBT traffic from the
    Internet. For more information about how to enable the ICF, and for
    information about other options that are available to you, visit the
    following Microsoft Web site: http://www.microsoft.com/protect.

     * Block the affected port by using an IPSec filter on the affected
    machines You can help to secure network communications on Windows
    2000-based computers if you use Internet Protocol security (IPSec). For
    more information about IPSec and how to apply filters, see the following
    Microsoft Knowledge Base article 313190 and 813878

     * Disable NetBIOS over TCP/IP You can also disable NetBT on Windows 2000,
    Windows XP, and Windows Server 2003. For more information about how to do
    this, and for information about what might be affected by doing this,
    visit the following Microsoft Web site: NetBIOS over TCP/IP (NetBT).

    What does the patch do?
    The patch eliminates the vulnerability by making sure that NetBT correctly
    initializes the affected buffer.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:0_51911_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Buffer Overrun in WordPerfect Converter Could Allow Code Execution"

    Relevant Pages