2102.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:  

--
Sid: 2102

--
Summary:

A buffer overflow exists in the SMB (Server Message Block) Protocol 
implementation in Microsfot Windows NT, Windows 2000, and Windows XP 
that allows attackers to cause a denial of service via a NetShareEnum 
request.

This rule has been deprecated due to an inordinately large number of 
false positives. Rule 2101 has been modified to take this into account.

--
Impact:

An attacker can cause the target system to lock up and require manual
reboot.  With more research, an attacker may be able to exploit this
buffer overflow and execute arbitrary code, but this research has not
been made public at this time.

--
Detailed Information:

SMB on a vulnerable system may crash if it recieves a specially crafted
packet containing a NetServerEnum, NetServerEnum2, or NetServerEnum3 
transaction request.  If either the paramaters "Max Parameter Count" or
"Max Data Count" are set to 0, then a vulnerable system will crash.  
NetServerEnum requests require an authorized user account, however 
NetServerEnum2 and NetServerEnum3 require anonymous access.  Anonymous
access is enabled by default.  This signature looks for a "Max Data Count" 
set to 0.

--
Attack Scenarios:

An attacker would use one of the various publicly available tools to launch
this attack.

--
Ease of Attack:

Numerous tools, including a windows binary (SMBDie.exe), have been made
publicly availablet exploit the denial of service portion of this vulnerability.

--
False Positives:

This rule may trigger on functions other than NetServerEnum, NetServerEnum2,
or NetServerEnum3.  Because a SMB decoder is not available in Snort at this time,
verifying that the function that is being called is not feasable.

--
False Negatives:

No false negatives are known at this time.

--
Corrective Action:

Install the patches available from Microsoft.  The patches are listed in
Microsoft's advisory for this vulnerability.

www.microsoft.com/technet/security/bulletin/MS02-045.asp

--
Contributors:

Brian Caswell <bmc@snort.org>

-- 
Additional References:

cve,CAN-2002-0724
url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; 
url,www.corest.com/common/showdoc.php?idx=262; 

--