CVE-2000-1079
CVSS7.5
发布时间 :2000-08-29 00:00:00
修订时间 :2008-09-10 15:06:32
NMCOS    

[原文]Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram.


[CNNVD]Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS缓冲腐败漏洞(CNNVD-200008-003)

        用于Microsoft Windows 95,98,NT,和2000版本中CIFS Browser Protocol和NetBIOS之间存在相互影响,远程攻击者借助单播或者UDP播放数据包中受欺骗的Browse Frame Request修改动态NetBIOS名称缓存条目。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_95Microsoft Windows 95
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1079MS CIFS Spoofed Browse Frame Request Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1079
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1079
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200008-003
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/5168.php
(VENDOR_ADVISORY)  XF  win-netbios-corrupt-cache
http://www.securityfocus.com/bid/1620
(VENDOR_ADVISORY)  BID  1620
http://www.nai.com/research/covert/advisories/045.asp
(UNKNOWN)  NAI  20000829 Windows NetBIOS Unsolicited Cache Corruption
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0116.html
(UNKNOWN)  NTBUGTRAQ  20000829 Re: [COVERT-2000-10] Windows NetBIOS Unsolicited Cache Corruption

- 漏洞信息

Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS缓冲腐败漏洞
高危 设计错误
2000-08-29 00:00:00 2005-10-20 00:00:00
远程※本地  
        用于Microsoft Windows 95,98,NT,和2000版本中CIFS Browser Protocol和NetBIOS之间存在相互影响,远程攻击者借助单播或者UDP播放数据包中受欺骗的Browse Frame Request修改动态NetBIOS名称缓存条目。
        

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息

10647
Microsoft Windows CIFS Browser Protocol Arbitrary NetBIOS Cache Entry Modification

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-08-30 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows 9x / NT 4.0 / 2000 NetBIOS Cache Corruption Vulnerability
Design Error 1620
Yes Yes
2000-08-29 12:00:00 2009-07-11 02:56:00
Discovered by Anthony Osborne and posted to Bugtraq on August 29, 2000 by COVERT Labs <seclabs@nai.com>.

- 受影响的程序版本

Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows 98
Microsoft Windows 95 SR2
Microsoft Windows 95
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

The implementation of the NetBIOS cache in Windows 95, 98, NT 4.0, and 2000 allows for remote insertion of dynamic cache entries and removal of both dynamic and static (from the LMHOSTS file) cache entries. This is due to the interaction between the implementation of the NetBIOS cache and the CIFS (Common Internet File System) Browser Protocol.

The CIFS Browsing Protocol generates a list of network resources and is used in services such as My Neighborhood or My Network Places. It also defines a number of Browse Frames encapsulated within a NetBIOS datagram. Information contained in a NetBIOS datagram is extracted and inserted into the NetBIOS cache when a Browse Frame request is received on UDP port 138. This information includes a source and destination NetBIOS name, second source IP address, and IP headers.

A remote malicious user can transmit unicast or broadcast UDP datagrams which can result in the redirection of NetBIOS name resolution to IP address resolution forwarding to an arbitrary IP address under their control. Once the cache is corrupted with a UDP datagram, it is no longer a prerequisite to predict Transaction IDs (which is reportedly an easily predictable 16-bit ID to begin with).

To flush a dynamic entry in the cache, one can send a Postive Name Query response that provides a different IP address to NetBIOS name mapping.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站