GEN:SID | 1:1239 |
Message | NETBIOS RFParalyze Attempt |
Summary | This event is generated when an attempt is made to execute the RFParalyze DoS exploit.
|
Impact | If the destination machine is vulnerable, it may start behaving unpredictably. Succesful exploitation may lead to a full system crash or may cause certain services to become unavailable.
|
Detailed Information | This signature triggers on execution of RFParalyze, an exploit written in 2000 by Rain Forest Puppy. It was based on a binary exploit called "whisper", which was used in the wild at that time. This exploit performs a NetBIOS session request with a source host of NULL, which is incorrectly handled by Windows 95/98 hosts.
|
Affected Systems | Windows 95 Windows 98
|
Attack Scenarios | An attacker can crash critical machines, thereby preventing them from being accessed by legitimate clients.
|
Ease of Attack | Simple. Exploit code exists.
|
Corrective Action | Patches are not available from the vendor.
Use a packet filtering firewall to block inbound traffic to port 139/TCP from all untrusted networks & hosts
Upgrade critical machines to a more recent and supported version of the operating system.
|
Additional References | Bugtraq http://www.securityfocus.com/bid/1163
CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347
|
Rule References | bugtraq: 1163
cve: 2000-0347
nessus: 10392
|