[Snort-sigs] snort-db entry for sid 1257

Beetle beetle at ...308...
Wed Jan 23 19:00:04 EST 2002

Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS Winnuke 
attack"; flags: U+; reference: bugtraq,2010; reference:cve,CVE-1999-0153; 
classtype: attempted-dos; sid: 1257; rev:2;)

Sid: 1257

Summary: Windows 95 and Windows NT 4.0 and earlier are vulnerable to a 
Denial of Service (DoS) condition when Out of Band (OOB) data is sent to 
port 139.  This signature looks for a variation of this vulnerability. 

Impact: A remote user can crash a vulnerable machine.

Detailed Information: The winnuke.c exploit showed up on Bugtraq in May of 
1997 and quickly became one of the most reliable ways to give a remote 
Windows 95 or NT user the "blue screen of death"--but had to be run from a 
Unix attack platform.  Versions of the exploit (with graphical user interfaces 
even) then popped up for Windows script-kiddies and the DoS remained a 
favorite prank to play in IRC until newer releases of Windows that were 
not vulnerable propogated throughout the home market.  

Attack Scenarios: This attack may be preceeded by a scan for Windows 
workstations (any machines with port 139 open) or a specific OS 
fingerprint with Nmap or X.  Kids may still attempt this classic DoS after 
getting upset in IRC channels.  

Ease of Attack: Thanks to several GUI versions that can run from Windows, 
this attack is point-n-click easy.

False Positives: Mass TCP scan for 139 with Urgent flag set on the 
offending packets.

False Negatives:

Corrective Action: Check if target is running Windows.  If it is not, 
worry not.  If it is, check that the version is not Windows 95 or Windows 
NT 4.0 SP3 or earlier.  Upgrade or patch vulnerable Windows versions.  
Reboot machine to get rid of Blue Screen of Death (BSoD).

Contributors: Don Bailey (beetle at ...308...)

Additional References: bugtraq, 2010; cve, CVE-1999-0153

More information about the Snort-sigs mailing list