From: irwanhadi at phxby.com (Irwan Hadi)
Subject: Flaw in NetBIOS Could Lead to Information Disclosure (824105)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-034.asp


    
Microsoft Security Bulletin MS03-034  Print  


Flaw in NetBIOS Could Lead to Information Disclosure (824105)
Originally posted: September 03, 2003

Summary
Who should read this bulletin: Customers using Microsoft? Windows? 

Impact of vulnerability: Information disclosure 

Maximum Severity Rating: Low 

Recommendation: Users should evaluate whether to apply the security
patch to affected systems. 

End User Bulletin:
An end user version of this bulletin is available at: 

http://www.microsoft.com/security/security_bulletins/ms03-034.asp. 

Affected Software: 

Microsoft Windows NT 4.0? Server 
Microsoft Windows NT 4.0, Terminal Server Edition 
Microsoft Windows 2000 
Microsoft Windows XP 
Microsoft Windows Server. 2003 
Not Affected Software: 
Microsoft Windows Millennium Edition 
An End User version of the bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-034.asp. 

 Technical details
Technical description: 


Network basic input/output system (NetBIOS) is an application
programming interface (API) that can be used by programs on a local area
network (LAN). NetBIOS provides programs with a uniform set of commands
for requesting the lower-level services required to manage names,
conduct sessions, and send datagrams between nodes on a network. 

This vulnerability involves one of the NetBT (NetBIOS over TCP)
services, namely, the NetBIOS Name Service (NBNS). NBNS is analogous to
DNS in the TCP/IP world and it provides a way to find a system.s IP
address given its NetBIOS name, or vice versa. 

Under certain conditions, the response to a NetBT Name Service query
may, in addition to the typical reply, contain random data from the
target system.s memory. This data could, for example, be a segment of
HTML if the user on the target system was using an Internet browser, or
it could contain other types of data that exist in memory at the time
that the target system responds to the NetBT Name Service query. 

An attacker could seek to exploit this vulnerability by sending a NetBT
Name Service query to the target system and then examine the response to
see if it included any random data from that system.s memory. 

If best security practices have been followed and port 137 UDP has been
blocked at the firewall, Internet based attacks would not be possible. 

Mitigating factors: 

Any information disclosure would be completely random. 
By default, the Internet Connection Firewall (ICF), which is available
with Windows XP and Windows Server 2003, blocks the ports that are used
by NetBT. 
To exploit this vulnerability, an attacker would have to be able to send
a specially-crafted NetBT request to port 137 on the target system and
then examine the response to see whether any random data from that
system.s memory is included. In intranet environments, these ports are
usually accessible, but systems that are connected to the Internet
usually have these ports blocked by a firewall. 
Severity Rating: Windows NT 4.0 Server Low 
Windows NT 4.0, Terminal Server Edition Low 
Windows 2000 Low 
Windows XP Low 
Windows Server 2003 Low 
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0661 

Tested Versions:
Microsoft tested Windows NT 4.0 Server, Windows NT 4.0 Terminal Server
Edition, Windows 2000, Windows Millennium Edition, Windows XP, and
Windows Server 2003 to assess whether they are affected by this
vulnerability. Previous versions are no longer supported, and may or may
not be affected by these vulnerabilities.


 Frequently asked questions 
What.s the scope of the vulnerability?

This is an Information Disclosure vulnerability that could enable an
attacker to receive arbitrary or random data from the memory of another
computer system that is on a network. 

Under certain conditions, the response to a NetBT Name Service query
may, in addition to the normal reply, contain random data from the
target system.s memory. This data could, for example, be a segment of
HTML if the user on the target system were using an Internet browser at
the time that the target system responds to the NetBT Name Service
query. It could also contain other types of data, depending on what data
exists in memory at the time that the target system responds to the
NetBT Name Service query. To exploit the vulnerability, the attacker
must be able to access the target system over NetBT. 

The potential information disclosure cannot be directed or controlled.
Any data that an attacker might receive would be very arbitrary in its
nature because the information disclosure is limited to random segments
of data that are in memory. 

An attacker could increase the probability of this memory disclosure by
repeatedly sending NetBT Name Service queries to the system. However,
the information that could be disclosed would still be random and would
depend on how the user was using their system at the time of the attack. 

What is NetBIOS? 
NetBIOS is a set of networking services for computer networking. NetBIOS
can be implemented on top of a number of different networking protocols,
such as TCP/IP. 

What is NetBT? 
NetBT is the protocol that describes how NetBIOS services are provided
over a TCP/IP network. For more information, visit the following
Microsoft Web site: NetBIOS over TCP/IP (NetBT) concepts 

What causes the vulnerability? 
If the network datagram (also referred to as a packet) requires padding,
the padding should be blank. A vulnerability results because of a flaw
in NetBT that can cause arbitrary data to be used for padding instead of
blank data. 

What is a datagram? 
A datagram is a self-contained, independent piece of data that carries
sufficient information to be routed from the source to the destination
computer without relying on earlier exchanges between these source and
destination over the transporting network. In short, a datagram is what
TCP/IP divides files and other types of content into before it routes it
over a particular network. 

What is wrong with NetBT? 
There is a flaw in the way that NetBT pads datagrams. When NetBT
constructs Name Service replies it allocates a larger buffer to contain
the information that is required for the response. This buffer is not
properly initialized before it is used to make sure that it is blank.
NetBT will write only the amount of data that is required for the
response to the buffer but NetBT will read all of the contents of the
buffer when it sends the response to the requesting system. As a result,
the padding.the difference between the data written to and then read
from the buffer.could be arbitrary data from a previous memory operation
because the buffer was not first initialized. 

What could this vulnerability enable an attacker to do? 
This vulnerability could enable an attacker to read some of the content
of a target system.s memory by examining the network for NetBT Name
Service query replies. The attacker would have no way to determine what
memory content would be disclosed, nor could an attacker force
particular data to be exposed. 

How could an attacker exploit this vulnerability? 
An attacker could seek to exploit this vulnerability by sending NetBT
Name Service queries to a target system and then examining the responses
for arbitrary data from the target system.s memory. 

How much data could be disclosed? 
The amount of data that may be disclosed is small; typically the padding
that is required is 15 bytes or less. 

Workarounds: 

Are there any workarounds that I can use to help block the exploitation
of this vulnerability while I test or evaluate the patch? 
Yes. Although Microsoft urges all customers to apply the patch there are
a number of workarounds that you can apply in the interim to help block
exploitation of this vulnerability. There is no guarantee that the
workarounds will block all possible attack vectors. 
Note that these workarounds should be considered temporary measures
because they only help block paths of attack instead of correcting the
underlying vulnerability. 

Block TCP and UDP on port 137 at your firewall on the affected machines
The NetBT Name Service uses this port. Blocking TCP and UDP at the
firewall will help prevent systems that are behind the firewall from
being attacked by attempts to exploit these vulnerabilities. Use
Internet Connection Firewall (which is only available with Windows XP
and Windows Server 2003). If you use the Internet Connection Firewall
that is included with Windows XP or Windows Server 2003 to help protect
your Internet connection, it will, by default block inbound NetBT
traffic from the Internet. For more information about how to enable the
ICF, and for information about other options that are available to you,
visit the following Microsoft Web site:
http://www.microsoft.com/protect. 
Block the affected port by using an IPSec filter on the affected
machines You can help to secure network communications on Windows
2000-based computers if you use Internet Protocol security (IPSec). For
more information about IPSec and how to apply filters, see the following
Microsoft Knowledge Base article 313190 and 813878 
Disable NetBIOS over TCP/IP You can also disable NetBT on Windows 2000,
Windows XP, and Windows Server 2003. For more information about how to
do this, and for information about what might be affected by doing this,
visit the following Microsoft Web site: NetBIOS over TCP/IP (NetBT). 
What does the patch do? 
The patch eliminates the vulnerability by making sure that NetBT
correctly initializes the affected buffer. 

















































Patch availability
Download locations for this patch 
Windows Server 2003 
Windows Server 2003 64 bit Edition 
Windows XP 
Windows XP 64 bit Edition 
Windows 2000 
Windows NT 4 Server 
Windows NT 4 Terminal Server Edition 

 Additional information about this patch
Installation platforms: 
This patch can be installed on systems running. 
Microsoft Windows NT 4.0 Server Service Pack 6a 
Microsoft Windows NT 4.0, Terminal Server Edition Service Pack 6 
Windows 2000 Service Pack 4 and Service Pack 3 
Microsoft Windows XP Gold and Service Pack 1 
Microsoft Windows Server 2003 
Inclusion in future service packs:
The fix for this issue will be included in Windows XP Service Pack 2 and
in Windows Server 2003 Service Pack 1. 

Reboot needed: Yes 

Patch can be uninstalled: Yes 

Superseded patches: None. 

Verifying patch installation: 

Windows NT 4.0 Server 
To verify that the patch has been installed on the machine, confirm that
all the files that are listed in the file manifest in Microsoft
Knowledge Base article 824105 are present on the system. 
Windows NT 4.0, Terminal Server Edition 
To verify that the patch has been installed on the machine, confirm that
all the files that are listed in the file manifest in Microsoft
Knowledge Base article 824105 are present on the system. 
Windows 2000 
To verify that the patch has been installed on the machine, confirm that
the following registry key has been created on the system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB824105 
To verify the individual files, use the date/time and the version
information that is provided in the file manifest in Microsoft Knowledge
Base article 824105 and confirm that all the files that are listed in
the file manifest are present on the system. 
Windows XP Gold 
To verify that the patch has been installed on the system confirm that
the following registry key has been created on the system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824105 
To verify the individual files, use the date/time and the version
information that is provided in the file manifest in Microsoft Knowledge
Base article 824105 and confirm that all the files that are listed in
the file manifest are present on the system. 
Windows XP SP1 
To verify that the patch has been installed on the system confirm that
the following registry key has been created on the system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824105 
To verify the individual files, use the date/time and the version
information that is provided in the file manifest in Microsoft Knowledge
Base article 824105 and confirm that all the files that are listed in
the file manifest are present on the system. 
Windows Server 2003 
To verify that the patch has been installed on the system confirm that
the following registry key has been created on the system
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server
2003\SP1\KB824105 
To verify the individual files, use the date/time and the version
information that is provided in the file manifest in Microsoft Knowledge
Base article 824105 and confirm that all the files that are listed in
the file manifest are present on the system. 
Caveats:
None 

Localization:
Localized versions of this patch are available at the locations
discussed in "Patch Availability". 

Obtaining other security patches: 
Patches for other security issues are available from the following
locations: 

Security patches are available from the Microsoft Download Center, and
can be most easily found by doing a keyword search for "security_patch". 
Patches for consumer platforms are available from the WindowsUpdate web
site 
Other information: 
Acknowledgments
Microsoft thanks  Mike Price of Foundstone Labs for reporting this issue
to us and working with us to protect customers. 

Support: 

Microsoft Knowledge Base article 824105 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web
site. 
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches. 
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall Microsoft
Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply. 

Revisions: 


V1.0 (September 03, 2003): Bulletin published. 
 
 Contact Us   |  E-mail this Page   |  TechNet Newsletter  
 ? 2003 Microsoft Corporation. All rights reserved.   Terms of Use
Privacy Statement  Accessibility  

Powered by blists - more mailing lists