This is a multi-part message in MIME format. ------=_NextPart_000_0004_01BE2619.437AED00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable There is a problem with both the SMS version of Network Monitor and the = version on the NT Server 4 CD-ROM whereby if it "sniffs" a NetBIOS = session request from a machine where the NetBIOS Scope ID is 190 or more = characters when the capture is stopped and the results are viewed the = Network Monitor process (netmon.exe) experiences a memory problem. = Depending on whether there are other open capture windows or not the = memory problem manifests itself in a number of different ways - = sometimes buffer overruns, some times a page fault and others the = process just dies with no reason as to why. The problem actually stems from the netbios parser - netbios.dll - not = being able to handle the packet when it tries to interpret the contents. The impact of this problem can be from a simple Denial of Service to = really annoy an admin trying to troubleshoot a LAN issue - to possible = exploitation - especially as Network Monitor is normally run by an Admin = and conseqently the netmon.exe process and any child process it spawns = will run with Administrative privileges. Microsoft was informed about this issue around 8 weeks ago, but not = having heard anything since the first conversation I had wth them about = this I am issuing this advisory. This was tested on NT Server 4.0 (Service Pack Three + Hotfixes) and = Windows 95. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix/ ------=_NextPart_000_0004_01BE2619.437AED00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3D"Times New Roman" size=3D2> <P>There is a problem with both the SMS version of Network Monitor and = the=20 version on the NT Server 4 CD-ROM whereby if it "sniffs" a = NetBIOS=20 session request from a machine where the NetBIOS Scope ID is 190 or more = characters when the capture is stopped and the results are viewed the = Network=20 Monitor process (netmon.exe) experiences a memory problem. Depending on = whether=20 there are other open capture windows or not the memory problem manifests = itself=20 in a number of different ways - sometimes buffer overruns, some times a = page=20 fault and others the process just dies with no reason as to why.</P> <P>The problem actually stems from the netbios parser - netbios.dll - = not being=20 able to handle the packet when it tries to interpret the contents.</P> <P>The impact of this problem can be from a simple Denial of Service to = really=20 annoy an admin trying to troubleshoot a LAN issue - to possible = exploitation -=20 especially as Network Monitor is normally run by an Admin and = conseqently the=20 netmon.exe process and any child process it spawns will run with = Administrative=20 privileges.</P> <P>Microsoft was informed about this issue around 8 weeks ago, but not = having=20 heard anything since the first conversation I had wth them about this I = am=20 issuing this advisory.</P> <P>This was tested on NT Server 4.0 (Service Pack Three + Hotfixes) and = Windows=20 95.</P> <P><FONT face=3DArial></FONT>Cheers,</P> <P><FONT face=3DArial>David Litchfield</FONT></P> <P><FONT=20 face=3DArial>http://www.infowar.co.uk/mnemonix/></P></FONT></DIV></= BODY></HTML> ------=_NextPart_000_0004_01BE2619.437AED00--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:54 PDT