SecurityvulnsSECURITYVULNS:DOC:251[COVERT-2000-05] Microsoft Windows Computer Browser Reset Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Network Associates, Inc.
COVERT Labs Security Advisory
May 25, 2000
Microsoft Windows Computer Browser Reset
COVERT-2000-05
o Synopsis
The Microsoft Windows implementation of the Browser Protocol contains
an undocumented feature that provides for the remote shutdown of the
Computer Browser Service on a single computer or multiple computers.
RISK FACTOR: MEDIUM
o Vulnerable Systems
All versions of Microsoft Windows 95, 98, NT and 2000.
o Vulnerability Information
The publicly available CIFS Browser Protocol specification defines
a set of browse frames delivered on the network over UDP port 138.
One specific frame, however, remains undocumented: the
"ResetBrowser".
This browser frame is decoded by Microsoft's Network Monitor, and
generated by the resource kit utility "browstat.exe" using the
tickle option. Other CIFS implementations such as SAMBA also contain
references to the ResetBrowser frame.
While the entire CIFS Browser Protocol is unauthenticated allowing
many avenues of attack, the ResetBrowser frame presents a unique
opportunity. Creation of the browse frame allows three options:
o stop the browser from being a master
o reset the entire browser state
o shut down the browser
The ResetBrowser has the potential to either shut down the Computer
Browser on a Windows host or to reset its state. This can provide
an opportunity for a denial of service attack or allow an attacker to
selectively shut down a specific browser (or a number of browsers)
as part of a larger attack on the name and service resolution
systems of a Windows domain.
Adding to the denial of service implications, the continual delivery
of this browse frame to a domain's NetBIOS name will reset the
Computer Browser Service on all hosts in the domain within broadcast
range. Accessing information from the Browse List through such
utilities as Network Neighborhood can be restricted if not denied
for a large number of hosts in an efficient manner.
The unauthenticated CIFS Browsing Protocol is UDP based, ensuring
that the ResetBrowser frame can be easily spoofed across routers.
o Resolution
Microsoft has released a patch for this vulnerability. The patch can
be found at:
Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21397
Windows 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21298
For more information, their security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/ms00-036.asp
o Credits
The discovery and documentation of this vulnerability was conducted
by Anthony Osborne at the COVERT Labs of PGP Security, Inc.
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our
website at http://www.nai.com/covert or send e-mail to [email protected]
o Legal Notice
The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc. It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.
Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries. All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>
iQA/AwUBOS3fiqF4LLqP1YESEQIk3wCfVw6wxz8vxvwjOKQYtXbFeNVEuWoAn2Fe
Esv6v8cITqltefFbuO+r7p2G
=3hyj
-----END PGP SIGNATURE-----