[Snort-sigs] snort-db entry for sid 1257
beetle at ...308...
Wed Jan 23 19:00:04 EST 2002
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS Winnuke
attack"; flags: U+; reference: bugtraq,2010; reference:cve,CVE-1999-0153;
classtype: attempted-dos; sid: 1257; rev:2;)
Summary: Windows 95 and Windows NT 4.0 and earlier are vulnerable to a
Denial of Service (DoS) condition when Out of Band (OOB) data is sent to
port 139. This signature looks for a variation of this vulnerability.
Impact: A remote user can crash a vulnerable machine.
Detailed Information: The winnuke.c exploit showed up on Bugtraq in May of
1997 and quickly became one of the most reliable ways to give a remote
Windows 95 or NT user the "blue screen of death"--but had to be run from a
Unix attack platform. Versions of the exploit (with graphical user interfaces
even) then popped up for Windows script-kiddies and the DoS remained a
favorite prank to play in IRC until newer releases of Windows that were
not vulnerable propogated throughout the home market.
Attack Scenarios: This attack may be preceeded by a scan for Windows
workstations (any machines with port 139 open) or a specific OS
fingerprint with Nmap or X. Kids may still attempt this classic DoS after
getting upset in IRC channels.
Ease of Attack: Thanks to several GUI versions that can run from Windows,
this attack is point-n-click easy.
False Positives: Mass TCP scan for 139 with Urgent flag set on the
Corrective Action: Check if target is running Windows. If it is not,
worry not. If it is, check that the version is not Windows 95 or Windows
NT 4.0 SP3 or earlier. Upgrade or patch vulnerable Windows versions.
Reboot machine to get rid of Blue Screen of Death (BSoD).
Contributors: Don Bailey (beetle at ...308...)
Additional References: bugtraq, 2010; cve, CVE-1999-0153
More information about the Snort-sigs