Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS Cache Corruption Vulnerability

The implementation of the NetBIOS cache in Windows 95, 98, NT 4.0, and 2000 allows for remote insertion of dynamic cache entries and removal of both dynamic and static (from the LMHOSTS file) cache entries. This is due to the interaction between the implementation of the NetBIOS cache and the CIFS (Common Internet File System) Browser Protocol.

The CIFS Browsing Protocol generates a list of network resources and is used in services such as My Neighborhood or My Network Places. It also defines a number of Browse Frames encapsulated within a NetBIOS datagram. Information contained in a NetBIOS datagram is extracted and inserted into the NetBIOS cache when a Browse Frame request is received on UDP port 138. This information includes a source and destination NetBIOS name, second source IP address, and IP headers.

A remote malicious user can transmit unicast or broadcast UDP datagrams which can result in the redirection of NetBIOS name resolution to IP address resolution forwarding to an arbitrary IP address under their control. Once the cache is corrupted with a UDP datagram, it is no longer a prerequisite to predict Transaction IDs (which is reportedly an easily predictable 16-bit ID to begin with).

To flush a dynamic entry in the cache, one can send a Postive Name Query response that provides a different IP address to NetBIOS name mapping.


Privacy Statement
Copyright 2010, SecurityFocus