From aleph1@UNDERGROUND.ORG Sun Nov 5 20:53:30 2000 From: Aleph One To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 2 Nov 2000 15:43:06 -0800 Subject: [BUGTRAQ] Internet Security Systems Security Advisory: Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network Monitor -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Advisory November 1, 2000 Buffer Overflow in Microsoft Windows NT 4.0 and Windows 2000 Network Monitor Synopsis: Internet Security Systems (ISS) X-Force has discovered a buffer overflow vulnerability in Microsoft's Network Monitor utility. The vulnerability allows code to be executed on the remote computer with the privilege levels of the current user. Administrative privileges are required to run Network Monitor. Affected Versions: - -Microsoft Windows NT 4.0 Server, Terminal Server Edition, and Enterprise Edition. - -Windows 2000 Server, Advanced Server, and Datacenter Server - -Microsoft Systems Management Server versions 1.2 and 2.0 Description: Network Monitor is a network administration tool installed as an option with Microsoft Windows NT 4.0 and Windows 2000. Network Monitor allows administrators to monitor network traffic. This vulnerability affects both basic and full versions of Network Monitor. The basic version is shipped with Windows NT 4.0 and Windows 2000 servers and allows an administrator to gather data sent directly to his or her computer. The full version of Network Monitor ships with Systems Management Server (SMS) and puts the network card into promiscuous mode and can gather data sent over an entire network segment. The vulnerability is caused by a remotely exploitable buffer overflow condition in one of Network Monitor's protocol parsers. A protocol parser is a dynamic-link library (.dll) that identifies and analyzes protocols that have been used to send data over the network. Information about these protocols appears when captured data is displayed in Network Monitor's Frame Viewer window. Each protocol that Network Monitor supports has a corresponding parser. When Network Monitor captures HTTP traffic, the HTTP parser interprets the data for display. Network Monitor will crash or exit when malformed data is captured and parsed. This buffer overflow allows a remote attacker to gain privileged access and execute arbitrary code on any computer running Network Monitor that displays this captured data. Recommendations: Microsoft recommends that customers apply the following patches: Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487 Microsoft Windows 2000 Server, Advanced Server and Datacenter Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485 Microsoft Systems Management Server 1.2: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25505 Microsoft Systems Management Server 2.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25514 For more information on this vulnerability, please refer to the Microsoft Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS00-083.asp Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0817 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The ISS SAFEsuite assessment software, Internet Scanner, will be updated to detect this vulnerability in an upcoming X-Press Update. Credits: This vulnerability was discovered and researched by Justine Bone of the ISS X-Force. Internet Security Systems would like to thank Microsoft for their response and handling of this vulnerability. About Internet Security Systems (ISS) Internet Security Systems (ISS) (NASDAQ: ISSX) is the leading global provider of security management solutions for the Internet. By combining best of breed products, security management services, aggressive research and development, and comprehensive educational and consulting services, ISS is the trusted security advisor for thousands of organizations around the world looking to protect their mission critical information and networks. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net mailto:xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOgDbqjRfJiV99eG9AQEMUQQAhsK2UvqNJXTJonPI0fg3gHfPjxdmPgKL W0zA/oBh1pV/lbmvlPATIirk/Yy6EJx1s5NP18tHImzzKfnhAnhYsZlJKr74bA65 qjHumK2DAboGzj2hFfrc4lC7oPom7W1hzuIl0y3wkApyxJGQxTVaWrpn1p1a1uWf b1S4br7uTic= =5mXb -----END PGP SIGNATURE-----