Bugtraq mailing list archives
Microsoft's Network Monitor - Buffer Overrun / Page Fault /
From: mnemonix () GLOBALNET CO UK (mnemonix)
Date: Sat, 12 Dec 1998 21:49:16 -0000
This is a multi-part message in MIME format. ------=_NextPart_000_0004_01BE2619.437AED00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable There is a problem with both the SMS version of Network Monitor and the = version on the NT Server 4 CD-ROM whereby if it "sniffs" a NetBIOS = session request from a machine where the NetBIOS Scope ID is 190 or more = characters when the capture is stopped and the results are viewed the = Network Monitor process (netmon.exe) experiences a memory problem. = Depending on whether there are other open capture windows or not the = memory problem manifests itself in a number of different ways - = sometimes buffer overruns, some times a page fault and others the = process just dies with no reason as to why. The problem actually stems from the netbios parser - netbios.dll - not = being able to handle the packet when it tries to interpret the contents. The impact of this problem can be from a simple Denial of Service to = really annoy an admin trying to troubleshoot a LAN issue - to possible = exploitation - especially as Network Monitor is normally run by an Admin = and conseqently the netmon.exe process and any child process it spawns = will run with Administrative privileges. Microsoft was informed about this issue around 8 weeks ago, but not = having heard anything since the first conversation I had wth them about = this I am issuing this advisory. This was tested on NT Server 4.0 (Service Pack Three + Hotfixes) and = Windows 95. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix/ ------=_NextPart_000_0004_01BE2619.437AED00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3D"Times New Roman" size=3D2> There is a problem with both the SMS version of Network Monitor and = the=20 version on the NT Server 4 CD-ROM whereby if it "sniffs" a = NetBIOS=20 session request from a machine where the NetBIOS Scope ID is 190 or more = characters when the capture is stopped and the results are viewed the = Network=20 Monitor process (netmon.exe) experiences a memory problem. Depending on = whether=20 there are other open capture windows or not the memory problem manifests = itself=20 in a number of different ways - sometimes buffer overruns, some times a = page=20 fault and others the process just dies with no reason as to why.</P> The problem actually stems from the netbios parser - netbios.dll - = not being=20 able to handle the packet when it tries to interpret the contents.</P> The impact of this problem can be from a simple Denial of Service to = really=20 annoy an admin trying to troubleshoot a LAN issue - to possible = exploitation -=20 especially as Network Monitor is normally run by an Admin and = conseqently the=20 netmon.exe process and any child process it spawns will run with = Administrative=20 privileges.</P> Microsoft was informed about this issue around 8 weeks ago, but not = having=20 heard anything since the first conversation I had wth them about this I = am=20 issuing this advisory.</P> This was tested on NT Server 4.0 (Service Pack Three + Hotfixes) and = Windows=20 95.</P> <FONT face=3DArial></FONT>Cheers,</P> <FONT face=3DArial>David Litchfield</FONT></P> <FONT=20 face=3DArial>http://www.infowar.co.uk/mnemonix/</FONT></P></FONT></DIV></= BODY></HTML> ------=_NextPart_000_0004_01BE2619.437AED00--
Current thread:
- RSI.0012.12-03-98.SOLARIS.MKCOOKIE RSI Advise (Dec 03)
- Re: RSI.0012.12-03-98.SOLARIS.MKCOOKIE Pavel Kankovsky (Dec 04)
- <Possible follow-ups>
- Re: RSI.0012.12-03-98.SOLARIS.MKCOOKIE Readwin, Neil (Dec 07)
- Exploitable buffer overflow in bootpd (most unices) Willem Pinckaers (Jun 24)
- Re: Exploitable buffer overflow in bootpd (most unices) Chris Evans (Dec 13)
- Triteal release updated CDE with security fixes Alan Cox (Dec 13)
- Wietse's Postfix (was VMailer) software release Wietse Venema (Dec 13)
- Re: RSI.0012.12-03-98.SOLARIS.MKCOOKIE Chris Wedgwood (Dec 10)
- FW: ISSalert: ISS Security Advisory: HP JetDirect TCP/IP problems Phear Me (Dec 11)
- Pine 4.05 patches GvS (Dec 12)
- Microsoft's Network Monitor - Buffer Overrun / Page Fault / mnemonix (Dec 12)
- Exploitable buffer overflow in bootpd (most unices) Willem Pinckaers (Jun 24)