Windows Platforms Subject to NetBIOS Cache Pollution


Reported August 30, 2000 by
Anthony Osborne of COVERT Labs at PGP Security

  • Microsoft Windows 95, 98, NT 4.0, and 2000


ll Windows platforms are vulnerable to NetBIOS cache corruption via unicast or broadcast UDP datagrams. The overall effect is that an attacker could launch a man-in-the-middle attack (among other activities) by corrupting the cache with altered NetBIOS Name-to-IP address mappings.


Microsoft is aware of this problem, however according to the discoverers, the company will not issue a patch for this problem because it feels the problem resides in the unauthenticated nature of the NetBIOS protocol.

The discoverers recommend that should protect against unwanted NetBIOS cache changes by performing one fo the following actions:

  • Block NetBIOS TCP and UDP ports (135-139, and 445) at all network borders.
  • Do not rely on NetBIOS to perform hostname-to-IP address lookups.
  • Disable all services that register a NetBIOS name as seen with the "nbtstat -n" command. Be sure to unbind the "WINS Client" and other related services that employ NetBIOS.
  • Upgrade to Windows 2000 and disable "NetBIOS Over TCP/IP" functionality

Discovered by Anthony Osborne of COVERT Labs at PGP Security

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.