GEN:SID | 1:2191 |
Message | NETBIOS SMB DCERPC invalid bind attempt |
Summary | This event is generated when an attempt is made to exploit a known vulnerability in Microsoft RPC DCOM.
|
Impact | Denial of Service (DoS).
|
Detailed Information | A vulnerability exists in Microsoft RPC DCOM such that execution of arbitrary code or a Denial of Service condition can be issued against a host by sending malformed data via RPC.
The Distributed Component Object Model (DCOM) handles DCOM requests sent by clients to a server using RPC. A malformed request to an RPC port will result in a buffer overflow condition that will present the attacker with the opportunity to execute arbitrary code with the privileges of the local system account.
|
Affected Systems | Windows NT 4.0 Windows NT 4.0 Terminal Server Edition Windows 2000 Windows XP Windows Server 2003
|
Attack Scenarios | An attacker may make a request for a file with an overly long filename via a network share.
|
Ease of Attack | Simple. Expoit code exists.
|
Corrective Action | Apply the appropriate vendor supplied patches.
Block access to RPC ports 135, 139 and 445 for both TCP and UDP protocols from external sources using a packet filtering firewall.
|
Additional References | Microsoft: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
|