Microsoft Remote Administration BO

March 29, 2013

Microsoft Computer Browser service is used to share information about workgroups, domains, and the hosts within them. This is an essential Windows service for hosts that wish to browse shared resources. The Browser protocol defines five primary roles for participating hosts: client, service provider, local master, domain master, and backup server. The protocol uses two protocols to transport data: the Microsoft Remote Administration Protocol (RAP), and the Remote Mailslot Protocol (RMP). RAP is used by a client to request and receive enumerations of services and servers from a Master or backup browser server. RMP is used for sending requests and replies between service providers, master, and backup servers. The communication can be targeted or by broadcast.

RAP commands are sent over the Server Message Block (SMB) Protocol. Before any RAP commands can be issued to a server, the client needs to establish an SMB connection with the it. Lists of servers can be obtained by using the NetServerEnum2 class of commands. The commands NetServerEnum2Request and NetServerEnum2Response belong to this class.

A NetServerEnum2Request is used by clients to retrieve lists of servers or machine groups. This message has the following structure:

 Offset   Size        Name                    Description -------- ----------- ----------------------- ----------------------------------------------------- 0x0000   2           errorcode 0x0002   2           converter 0x0004   2           entriesreturned         number of structures in the Data section 'x' 0x0006   2           entriesavailable        number of servers available 0x0008   x * len     RAPData                 'X' structures of 'len' length describing available services 

The RAPData section contains NetServerInfo structures. The format of these structures depends on other parameters in the NetServerEnum2Request. The structure of elements contained in RAPData is shown below:

 Offset   Size        Name                    Description -------- ----------- ----------------------- ----------------------------------------------------- 0x0000   16          servername              NetBIOS server name 0x0010   1           majorversion            major version 0x0011   1           minorversion            minor version 0x0012   4           servertype              type of services provided 0x0016   2           servercommentlow        absolute Offset from the start of RAPData to a string 0x0018   2           servercommenthigh 

The protocol specification states that multiple entries can be provided in a NetServerEnum2Response message. Each entry consists of a servername field and a servercommentlow field. Values of two fields are used to calculate the offset from the start of the RAPData block to a null-terminated ASCII string allocated in the response block. A heap buffer overflow flaw exists in the Microsoft Windows Browser Service when handling NetServerEnum2Response messages from a master browser. When two entries with the same servername are encountered in one response, the vulnerable code copies a value from the affected field to a fixed size heap buffer, expanding the string to wide characters without verifying the resulting string's length. A carefully crafted malformed message will cause an overflow the buffer during this copy. This leads to heap memory corruption and could potentially lead to code injection and execution. Remote attackers can exploit this vulnerability by impersonating a master browser and providing a crafted response to a query for a resource. Successful exploitation could result in arbitrary code execution in the context of the logged in user.

Dell SonicWALL has existing signatures that detect suspicious CIFS traffic. One of these signatures has been shown to proactively detect and block an acquired exploit targeting this flaw.
The following IPS signature is proactively detecting exploit traffic exploiting this flaw:

  • 8483 - Suspicious CIFS Traffic 14

This vulnerability has been assigned CVE-2012-1852 by mitre.
The vendor has released an advisory addressing this issue.