2257.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:

--
Summary:
This event is generated when an attempt is made to exploit a known
vulnerability in the Microsoft Windows Messenger service.

--
Impact:
Serious. Denial of Service (DoS), execution of arbitrary code is
possible.

--
Detailed Information:
Due to improper length validation in the Microsoft Windows Messenger
service, it may be possible for an attacker to overwrite portions of
memory. This can result in the attacker being presented with the
opportunity to execute code of their choosing. Under some circumstances
a Denial of Service condition may be possible against the target host.

Specifically, this vulnerability may present the attacker with the
opportunity to execute code with the privileges of the local system
account with full access to all resources on the target host.

--
Affected Systems:
	Microsoft Windows NT Workstation 4.0, Service Pack 6a
	Microsoft Windows NT Server 4.0, Service Pack 6a
	Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
	Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4
	Microsoft Windows XP Gold, Service Pack 1
	Microsoft Windows XP 64-bit Edition
	Microsoft Windows XP 64-bit Edition Version 2003
	Microsoft Windows Server 2003
	Microsoft Windows Server 2003 64-bit Edition

--
Attack Scenarios:
The attacker may use one of the available exploits to target a
vulnerable host.

--
Ease of Attack:
Simple. Exploit code exists.

--
False Positives:
None known.

--
False Negatives:
None known

--
Corrective Action:
Apply the appropriate vendor supplied patches and service packs.

Disable the Windows messenger service

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

CERT:
http://www.kb.cert.org/vuls/id/575892

Microsoft:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp

--