-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Network Associates, Inc. COVERT Labs Security Advisory May 25, 2000 Microsoft Windows Computer Browser Reset COVERT-2000-05
The Microsoft Windows implementation of the Browser Protocol contains an undocumented feature that provides for the remote shutdown of the Computer Browser Service on a single computer or multiple computers.
RISK FACTOR: MEDIUM
o Vulnerable Systems
All versions of Microsoft Windows 95, 98, NT and 2000.
o Vulnerability Information
The publicly available CIFS Browser Protocol specification defines a set of browse frames delivered on the network over UDP port 138. One specific frame, however, remains undocumented: the "ResetBrowser". This browser frame is decoded by Microsoft's Network Monitor, and generated by the resource kit utility "browstat.exe" using the tickle option. Other CIFS implementations such as SAMBA also contain references to the ResetBrowser frame.
While the entire CIFS Browser Protocol is unauthenticated allowing many avenues of attack, the ResetBrowser frame presents a unique opportunity. Creation of the browse frame allows three options:
o stop the browser from being a master o reset the entire browser state o shut down the browser
The ResetBrowser has the potential to either shut down the Computer Browser on a Windows host or to reset its state. This can provide an opportunity for a denial of service attack or allow an attacker to selectively shut down a specific browser (or a number of browsers) as part of a larger attack on the name and service resolution systems of a Windows domain.
Adding to the denial of service implications, the continual delivery of this browse frame to a domain's NetBIOS name will reset the Computer Browser Service on all hosts in the domain within broadcast range. Accessing information from the Browse List through such utilities as Network Neighborhood can be restricted if not denied for a large number of hosts in an efficient manner.
The unauthenticated CIFS Browsing Protocol is UDP based, ensuring that the ResetBrowser frame can be easily spoofed across routers.
Microsoft has released a patch for this vulnerability. The patch can be found at:
Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition:
For more information, their security bulletin can be found at:
The discovery and documentation of this vulnerability was conducted by Anthony Osborne at the COVERT Labs of PGP Security, Inc.
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our website at http://www.nai.com/covert or send e-mail to firstname.lastname@example.org
o Legal Notice
The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way.
Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com>
iQA/AwUBOS3fiqF4LLqP1YESEQIk3wCfVw6wxz8vxvwjOKQYtXbFeNVEuWoAn2Fe Esv6v8cITqltefFbuO+r7p2G =3hyj -----END PGP SIGNATURE-----