Bugtraq mailing list archives
[COVERT-2000-09] Windows NetBIOS Name Conflicts
From: COVERT Labs <seclabs () nai com>
Date: Thu, 27 Jul 2000 19:13:11 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________ Network Associates, Inc. COVERT Labs Security Advisory July 27, 2000 Windows NetBIOS Name Conflicts COVERT-2000-09 ______________________________________________________________________ o Synopsis The Microsoft Windows implementation of NetBIOS allows an unsolicited UDP datagram to remotely deny access to services offered by registered NetBIOS names. An attacker can remotely shut down all Domain Logins, the ability to access SMB shares, and NetBIOS name resolution services. RISK FACTOR: MEDIUM ______________________________________________________________________ o Vulnerable Systems All versions of Microsoft Windows 95, 98, NT and 2000. ______________________________________________________________________ o Vulnerability Information NetBIOS Name Conflicts, defined in RFC 1001 (15.1.3.5), occur when a unique NetBIOS name has been registered by more than one node. Under normal circumstances, name conflicts are detected during the NetBIOS name discovery process. In other words, a NetBIOS name should only be marked in conflict when an end node is actively resolving a NetBIOS name. The delivery of an unsolicited NetBIOS Conflict datagram to any Microsoft Windows operating system will place a registered NetBIOS name into a conflicted state. Conflicted NetBIOS names are effectively shut down since they can not respond to name discovery requests or be used for session establishment, sending, or receiving NetBIOS datagrams. The security implications of conflicting a NetBIOS name depend upon the NetBIOS name affected. If the NetBIOS names associated with the Computer Browser service are conflicted, utilities such as Network Neighborhood may become unusable. If the Messenger Service is affected, the "net send" command equivalents are unusable. If NetLogon is conflicted, Domain logons can not be authenticated by the affected server, thus allowing an attacker to systematically shutdown the NetLogon service on all domain controllers in order to deny domain services. Finally, conflicting the Server and Workstation Services will stop access to shared resources and many fundamental NetBIOS services such as NetBIOS name resolution. ______________________________________________________________________ o Resolution Microsoft has released a patch for this vulnerability. The patch can be found at: Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23370 Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition: Patch to be released shortly. Windows NT 4.0 Server, Terminal Server Edition: Patch to be released shortly. For more information, their security bulletin can be found at: http://www.microsoft.com/technet/security/bulletin/MS00-047.asp ______________________________________________________________________ o Credits The discovery and documentation of this vulnerability was conducted by Anthony Osborne at the COVERT Labs of PGP Security, Inc. ______________________________________________________________________ o Contact Information For more information about the COVERT Labs at PGP Security, visit our website at http://www.nai.com/covert or send e-mail to covert () nai com ______________________________________________________________________ o Legal Notice The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBOYDsN6F4LLqP1YESEQJmFwCeLQoHrqJcW/a0XqrYwEj+6pfuXRIAoMH3 odIH98QjLqxgNAL0hklGNVIe =gPQy -----END PGP SIGNATURE-----
Current thread:
- [COVERT-2000-09] Windows NetBIOS Name Conflicts COVERT Labs (Jul 28)