• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Network Monitor Multiple Buffer Overflow Vulnerabilities

This exploit has been taken directly from the COVERT Labs advisory (Full advisory in Credit Section).

The following examples illustrate specific problems identified by COVERT Labs
research.

1) If a CIFS Browse Frame is delivered to UDP port 138, the function FormatBrowserSummary() is called within 'browser.dll'. One specific CIFS Browse Frame, "Become Backup", includes the name of the Browse Server to be promoted. This information is extracted from the UDP datagram for inclusion in the single line summary.

The Browser Server name is passed to the WIN32 API function call OemToChar(), which translates a string from the OEM-defined character set into either an ANSI or a wide-character string. The OemToChar() function stops converting characters when it encounters a null character. The vulnerable FormatBrowserSummary() function in 'browser.dll' calls OemToChar(), converting the server name into a
255 byte character buffer on the stack. Because OemToChar() provides no bounds checking the stack can be overrun with arbitrary values.

2) If an SNMP request is received on UDP port 161, 'snmp.dll' is called. The community name of the SNMP request is extracted from the datagram for the protocol specific summary. The SNMP community name is copied into a stack buffer by 'snmp.dll' using the WIN32 function
wsprintfA(). Because this function call does not provide adequate bounds checking, the stack may be overwritten.

3) If an SMB session is received on TCP port 139, 'smb.dll' is called. This parser contains two vulnerabilities. If an SMB session with a long username or a long filename for a type C transaction is
received, Network Monitor will overwrite its stack frame via an unchecked wsprintfA() call in a manner similar to the vulnerability described in the SNMP parser.

Extracting control of the instruction pointer for each of these vulnerabilities can either be achieved by overwriting the return address and allowing the vulnerable functions to return or by overwriting the Structure Exception Handlers callback pointer and then causing a invalid memory reference.