GEN:SID | 1:2350 |
Message | NETBIOS DCERPC ISystemActivator bind accept |
Summary | This rule no longer generates an event when an attempt is made to exploit a known vulnerability in Microsoft RPC DCOM.
|
Impact | Execution of arbitrary code leading to full administrator access of the machine. Denial of Service (DoS).
|
Detailed Information | This rule now uses flowbits and can be set to generate an event by modifying the rule slightly to remove the "flowbits:no_alert;" option. When traffic is detected that attempts to bind to the ISystemActivator object in MS RPC DCOM communications this rule now activates sids 2351 and 2352 to detect exploits against this service. Cool huh?
A vulnerability exists in Microsoft RPC DCOM such that execution of arbitrary code or a Denial of Service condition can be issued against a host by sending malformed data via RPC.
The Distributed Component Object Model (DCOM) handles DCOM requests sent by clients to a server using RPC. A malformed request to an RPC port will result in a buffer overflow condition that will present the attacker with the opportunity to execute arbitrary code with the privileges of the local system account.
This vulnerability is also exploited by the Billy/Blaster worm. The worm also uses the Trivial File Transfer Protocol (TFTP) to propagate. A number of events generated by this rule may indicate worm activity.
|
Affected Systems | Windows NT 4.0 Windows NT 4.0 Terminal Server Edition Windows 2000 Windows XP Windows Server 2003
|
Attack Scenarios | An attacker may make a request for a file with an overly long filename via a network share.
|
Ease of Attack | Simple. Expoit code exists. This is also exploited by a worm.
|
Corrective Action | Apply the appropriate vendor supplied patches.
Block access to RPC ports 135, 139 and 445 for both TCP and UDP protocols from external sources using a packet filtering firewall.
Block access to port 69 used by the worm to propogate.
Block access to port 4444 used by the worm.
|
Additional References | Microsoft: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
|
Rule References | bugtraq: 8205
cve: 2003-0352
nessus: 11808
url: www.microsoft.com/technet/security/bulletin/MS03-026.mspx
|