4766.txt

This is the snapshot of Snot Latest Rules

Rule:

--
Sid:


--
Summary:
This event is generated when an attempt is made to exploit a known vulnerability in the Microsoft Windows locator service. In particular this rule generates an event when an attempt is made to exploit the function "dcerpc_request" via the "nsi_binding_lookup_begin" command.

--
Impact:
Serious. Execution of arbitrary code leading to unauthorized administrative access to the target host. Denial of Service (DoS) is also possible.

--
Detailed Information:
A vulnerability in the locator service exists due to a programming error which may present an attacker with the opportunity to exploit the service and run code of their choosing on an affected system. The attacker may also cause a DoS condition in the service or possibly gain unauthorized access to the target host.

Arguments from a remote RPC call are copied to a local memory buffer without sufficient checks being made on the user supplied data. An attacker can supply code of their choosing by using these arguments to overflow a static buffer causing a possible DoS on the service. Code execution in the context of the administrator account is also possible.

In particular this rule generates an event when an attempt is made to exploit the function "dcerpc_request" via the "nsi_binding_lookup_begin" command.

--
Affected Systems:
Microsoft Windows XP SP1 and prior
Microsoft Windows NT Workstation SP6a and prior
Microsoft Windows NT Server SP6a and prior
Microsoft Windows 2000 Server SP3 and prior
Microsoft Windows 2000 Professional SP3 and prior

--
Attack Scenarios:
An attacker can supply data of their choosing as arguments to the RPC call to cause the overflow to occur, prior authentication is not required.

--
Ease of Attack:
Simple. Exploit code exists.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Apply the appropriate vendor supplied patches.

--
Contributors:
Sourcefire Vulnerability Research Team
Matt Watchinski <matthew.watchinski@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:


--