Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1239 |
Message | NETBIOS RFParalyze Attempt |
Summary | This event is generated when an attempt is made to execute the RFParalyze DoS exploit. |
Impact | If the destination machine is vulnerable, it may start behaving unpredictably. Succesful exploitation may lead to a full system crash or may cause certain services to become unavailable. |
Detailed Information | This signature triggers on execution of RFParalyze, an exploit written in 2000 by Rain Forest Puppy. It was based on a binary exploit called "whisper", which was used in the wild at that time. This exploit performs a NetBIOS session request with a source host of NULL, which is incorrectly handled by Windows 95/98 hosts. |
Affected Systems | Windows 95 Windows 98 |
Attack Scenarios | An attacker can crash critical machines, thereby preventing them from being accessed by legitimate clients. |
Ease of Attack | Simple. Exploit code exists. |
Corrective Action | Patches are not available from the vendor. Use a packet filtering firewall to block inbound traffic to port 139/TCP from all untrusted networks & hosts Upgrade critical machines to a more recent and supported version of the operating system. |
Additional References | Bugtraq http://www.securityfocus.com/bid/1163 CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347 |
Rule References | bugtraq: 1163 cve: 2000-0347 nessus: 10392 |
--
DID:588675
--
http://www.aanval.com/