Microsoft Security Bulletin MS00-083 - Critical
Patch Available for 'Netmon Protocol Parsing' Vulnerability
Published: November 01, 2000 | Updated: April 26, 2002
Originally posted: November 01, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT® and Windows® 2000 server products and Systems Management Server. The vulnerability could allow a malicious user to gain control of an affected server.
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Systems Management Server 1.2
- Microsoft Systems Management Server 2.0
Note: Netmon does not ship as part of Windows NT 4.0 Workstation or Windows 2000 Professional. These products would only be affected if SMS had been installed on them.
- HTTP Protocol Parser Vulnerability: CAN-2000-0817
- Netmon Protocol Parsing Vulnerability: CAN-2000-0885
Microsoft ships two versions of Network Monitor (Netmon): a basic version that ships with Windows NT 4.0 and Windows 2000 server products, and full version that ships as part of Systems Management Server (SMS) 1.2 and 2.0. Both versions include protocol parsers that aid administrators in interpreting and analyzing previously-captured network data. However, several of the parsers have unchecked buffers. If a malicious user delivered a specially-malformed frame to a server that was monitoring network traffic, and the administrator parsed it using an affected parser, it would have the effect of either causing Netmon to fail or causing code of the malicious user's choice to run on the machine.
Netmon requires administrative privileges to run, but should only be run by local, rather than domain, administrators. If this is done, the vulnerability could be used to gain complete control over the local machine, but could not be used to gain control over a domain. Netmon does not ship on workstation products, so unless SMS had been installed on a workstation, it would not be affected by this vulnerability.
What's this bulletin about?
Microsoft Security Bulletin MS00-083 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT® 4.0 and Windows® 2000 server products, and in Microsoft Systems Management Server. Microsoft is committed to protecting customers' information,and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability affecting a tool used by administrators to monitor their networks. If a malicious user sent a particular type of malformed data across a network segment that the administrator was monitoring, it could have either of two effects. In the less serious case, the malformed data would cause the tool to fail when it processed the data. In the more serious case, code of the malicious user's choice could be made to run on the administrator's machine.
The network monitoring tool requires administrative privileges to run, so if the vulnerability were exploited to run code on the machine, it would have complete control over the local machine. However, adhering to best practices would prevent the vulnerability from being exploited against a domain administrator. The tool only ships by default only on server products.
What causes the vulnerability?
Several of the protocol parsers provided for Network Monitor have unchecked buffers. If specially-malformed data were sent over a network segment that the administrator was monitoring, it could potentially overrun the buffer and either cause the Network Monitor to fail, or cause code of the sender's choice to run on the machine in the administrator's security context.
What is Network Monitor?
Network Monitor, also known as Netmon, is an administrative tool that's used to monitor network traffic. It enables an administrator to record and analyze the data packets that traverse a network segment. Netmon is a useful tool for troubleshooting communications problems, or monitoring activities on the network. Administrative privileges are needed in order to use the tool.
There are two versions of Netmon, and both are affected by the vulnerability. A basic version, informally referred to as Netmon Lite, is delivered as part of Windows NT 4.0 and Windows 2000 server products. An advanced version, which we'll refer to here as the full version of Netmon, is included as one of the management tools in Systems Management Server 1.2 and 2.0.
Both versions allow data to be captured and analyzed, but there are important differences between them. Netmon Lite only allows the administrator to record and analyze data sent directly to his machine. In contrast, the full version of Netmon allows the administrator to record all data traversing the local network segment, regardless of what machine it's addressed to. (It does this by putting the network interface into "promiscuous mode"). Also, by installing remote agents on other machines, the full version allows the administrator to record and analyze data addressed directly to those machines, regardless of where on the network they reside.
What's a protocol parser?
A protocol parser is a plug-in module for Netmon that knows how to interpret the data packets, or frames, for a particular protocol. Suppose you received a frame of data and wanted to interpret it. One way to do this would be to read the initial part of the frame and identify the protocol in use, then consult a reference that lists the size and meaning of each field in a frame from that protocol. Once you had this information, you could interpret the frame, but this clearly is a task that cries out for automation, and Netmon's protocol parsers are designed to do this work.
Netmon includes a collection of parsers, each of which knows how to interpret the frames for a particular protocol. Netmon provides parsers for more than 100 different protocols, depending on the version. Most parsers are not affected by the vulnerability, but a number of them are.
What's the problem with the parsers?
Several of the parsers don't properly validate the data in a frame before interpreting it. If a malicious user sent a specially-malformed frame to a machine that was monitoring network traffic, and the administrator processed it using an affected parser, either of two outcomes could occur. If the malformed part of the frame contained random data, it would cause Netmon to fail. However, if it contained carefully-selected data, it could allow code of the malicious user's choice to run on the administrator's machine.
Would the malicious user need to send the malformed frame directly to the machine that was running Netmon, or could he just put it onto the network segment?
If the administrator was running Netmon Lite, the malicious user would need to send the data directly to the specific machine. However, if the administrator was running the full version of Netmon, the malicious user would only need to send the malformed frame to an address on the same network segment, or to a machine on which a remote agent was installed.
Would this vulnerability enable a malicious user to attack the administrator the moment he began monitoring the network?
No. It's important to understand that the vulnerability lies in the parsers, not in Netmon itself. Parsers can only be used to interpret data that has been "delay captured" - that is, captured for later analysis. The parsers cannot be used to interpret data in real time. As a result, if an administrator was using Netmon for tasks other than data capture and analysis, the vulnerability would pose no threat.
If the vulnerability were exploited to cause Netmon to fail, what would be needed to resume normal operation?
The administrator would just need to restart Netmon. It would not be necessary to restart the machine.
If the vulnerability were exploited to cause the malicious user's code to run on the administrator's machine, what could it do?
Netmon requires administrative privileges to run, so it would be certain that the code could gain these privileges. Thus, at a minimum, the code would gain local administrator privileges and would have complete control over the local machine.
If the person running Netmon was a domain administrator, his code could gain complete control over the entire domain. However, security best practices recommend against ever using the domain Administrator account for anything other than domain management functions, and if this recommendation has been followed, an administrator would use Netmon in the local, rather than domain, administrative context.
Would the malicious user be able to tell when the administrator was using Netmon?
He would be able to tell if the administrator was using the full version of Netmon, as it transmits a multicast packet when it puts the network interface into promiscuous mode. The malicious user would just need to write an application that watched for the multicast packet and recorded what machine transmitted it.
It would be more difficult for the malicious user to determine whether someone was running Netmon Lite, as it doesn't put the network interface into promiscuous mode, and as a result doesn't send a multicast packet. Netmon Lite does provide one way to tell if it's running - if another machine is running Netmon Lite, it can send a query to determine whether any other machines on the same network segment are also running it. This means that the malicious user could determine if someone was running Netmon Lite, but only if he already had administrative control of a server on the same network segment as the administrator.
Could this vulnerability be remotely exploited?
A properly-configured firewall - one that prevents an outside user from delivering packets to a specific internal network address - would prevent this vulnerability from being exploited by an Internet user.
Could this vulnerability be exploited accidentally?
No. The specific malformation at issue here renders the frame invalid. It's extremely unlikely that such a frame would be generated accidentally.
Who should use the patch?
Microsoft recommends that the patch be installed on the following machines:
- All Windows NT 4.0 or Windows 2000 server products, as Netmon Lite ships as part of these products. Netmon Lite does not ship as part of any workstation products.
- Any machine on which the full version of Netmon has been installed -- that is, any machine on which SMS has been installed. SMS can be installed on either servers or workstations, and the patch should applied to any machine that it has been installed on.
I'm running SMS on an affected server product. Do I need to install both the SMS and the operating system patch?
No. If you're running SMS, you only need to apply the SMS patch. If you're not running SMS, you need to apply the patch for the version of the operating system you're using.
What does the patch do?
The patch provides a new set of parsers that do not have the unchecked buffer at issue here.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise Edition:
- Microsoft Windows NT 4.0 Server, Terminal Server Edition:
- Microsoft Windows 2000 Server and Advanced Server:
- Microsoft Systems Management Server 1.2:
- Microsoft Systems Management Server 2.0:
Note: Customers who are running SMS should apply the SMS patch, regardless of the platform they are running on. Customers who are not running SMS but are using an affected server should apply the operating system patch.
- The patch for Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise Edition, should be applied atop Service Pack 6a. It will be included in Service Pack 7.
- The patch for Windows NT 4.0 Server, Terminal Server Edition, should be applied atop Service Pack 6. It will be included in Service Pack 7.
- The patch for Windows 2000 can be applied to computers running Windows 2000 "Gold" or Service Pack 1. It will be included in Windows Service Pack 2.
- The patch for SMS 1.2 should be applied atop SMS 1.2 Service Pack 4.
- The patch for SMS 2.0 can be applied to SMS 2.0 Gold, Service Pack 1, or Service Pack 2. It will be included in Service Pack 3.
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article Q274835, http://support.microsoft.com/default.aspx?scid=kb;en-us;274835&sd=tech
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (November 01, 2000): Bulletin Created.
- V1.1 (April 26, 2002): Bulletin updated to advise availability of Windows NT 4.0 Server, Terminal Server Edition Security Rollup Package.
Built at 2014-04-18T13:49:36Z-07:00