Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:2191 |
Message | NETBIOS SMB DCERPC invalid bind attempt |
Summary | This event is generated when an attempt is made to exploit a known vulnerability in Microsoft RPC DCOM. |
Impact | Denial of Service (DoS). |
Detailed Information | A vulnerability exists in Microsoft RPC DCOM such that execution of arbitrary code or a Denial of Service condition can be issued against a host by sending malformed data via RPC. The Distributed Component Object Model (DCOM) handles DCOM requests sent by clients to a server using RPC. A malformed request to an RPC port will result in a buffer overflow condition that will present the attacker with the opportunity to execute arbitrary code with the privileges of the local system account. |
Affected Systems | Windows NT 4.0 Windows NT 4.0 Terminal Server Edition Windows 2000 Windows XP Windows Server 2003 |
Attack Scenarios | An attacker may make a request for a file with an overly long filename via a network share. |
Ease of Attack | Simple. Expoit code exists. |
Corrective Action | Apply the appropriate vendor supplied patches. Block access to RPC ports 135, 139 and 445 for both TCP and UDP protocols from external sources using a packet filtering firewall. |
Additional References | Microsoft: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 |
--
DID:331683
--
http://www.aanval.com/