[8698] in bugtraq
Microsoft's Network Monitor - Buffer Overrun / Page Fault /
daemon@ATHENA.MIT.EDU (mnemonix)
Sat Dec 12 22:25:42 1998
Date: Sat, 12 Dec 1998 21:49:16 -0000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: mnemonix <mnemonix@GLOBALNET.CO.UK>
X-To: ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
------=_NextPart_000_0004_01BE2619.437AED00
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
There is a problem with both the SMS version of Network Monitor and the =
version on the NT Server 4 CD-ROM whereby if it "sniffs" a NetBIOS =
session request from a machine where the NetBIOS Scope ID is 190 or more =
characters when the capture is stopped and the results are viewed the =
Network Monitor process (netmon.exe) experiences a memory problem. =
Depending on whether there are other open capture windows or not the =
memory problem manifests itself in a number of different ways - =
sometimes buffer overruns, some times a page fault and others the =
process just dies with no reason as to why.
The problem actually stems from the netbios parser - netbios.dll - not =
being able to handle the packet when it tries to interpret the contents.
The impact of this problem can be from a simple Denial of Service to =
really annoy an admin trying to troubleshoot a LAN issue - to possible =
exploitation - especially as Network Monitor is normally run by an Admin =
and conseqently the netmon.exe process and any child process it spawns =
will run with Administrative privileges.
Microsoft was informed about this issue around 8 weeks ago, but not =
having heard anything since the first conversation I had wth them about =
this I am issuing this advisory.
This was tested on NT Server 4.0 (Service Pack Three + Hotfixes) and =
Windows 95.
Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/
------=_NextPart_000_0004_01BE2619.437AED00
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Times New Roman" size=3D2>
<P>There is a problem with both the SMS version of Network Monitor and =
the=20
version on the NT Server 4 CD-ROM whereby if it "sniffs" a =
NetBIOS=20
session request from a machine where the NetBIOS Scope ID is 190 or more =
characters when the capture is stopped and the results are viewed the =
Network=20
Monitor process (netmon.exe) experiences a memory problem. Depending on =
whether=20
there are other open capture windows or not the memory problem manifests =
itself=20
in a number of different ways - sometimes buffer overruns, some times a =
page=20
fault and others the process just dies with no reason as to why.</P>
<P>The problem actually stems from the netbios parser - netbios.dll - =
not being=20
able to handle the packet when it tries to interpret the contents.</P>
<P>The impact of this problem can be from a simple Denial of Service to =
really=20
annoy an admin trying to troubleshoot a LAN issue - to possible =
exploitation -=20
especially as Network Monitor is normally run by an Admin and =
conseqently the=20
netmon.exe process and any child process it spawns will run with =
Administrative=20
privileges.</P>
<P>Microsoft was informed about this issue around 8 weeks ago, but not =
having=20
heard anything since the first conversation I had wth them about this I =
am=20
issuing this advisory.</P>
<P>This was tested on NT Server 4.0 (Service Pack Three + Hotfixes) and =
Windows=20
95.</P>
<P><FONT face=3DArial></FONT>Cheers,</P>
<P><FONT face=3DArial>David Litchfield</FONT></P>
<P><FONT=20
face=3DArial>http://www.infowar.co.uk/mnemonix/</FONT></P></FONT></DIV></=
BODY></HTML>
------=_NextPart_000_0004_01BE2619.437AED00--
