[Snort-sigs] SID 1239: NetBIOS RFParalyze Attempt (documentation)

Maarten Van Horenbeeck maarten at ...2078...
Mon Dec 22 15:21:01 EST 2003


Dear Moderator,

Please discard my previous three e-mails which were sent before actually
subscribing to this list.  They contain the same content, and do not offer
any improvements on the documentation presented below.


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule: NETBIOS RFParalyze Attempt
--
Sid: 1239
--
Summary: This signature triggers upon execution of the RFParalyze DoS
exploit.
--
Impact: If the destination machine is vulnerable, it may start behaving
unpredictably.  Succesful exploitation may lead to a full system crash or
may cause certain services to become unavailable.
--
Detailed Information: This signature triggers on execution of RFParalyze,
an exploit written in 2000 by Rain Forest Puppy.  It was based on a binary
exploit called "whisper", which was used in the wild at that time.  This
exploit performs a NetBIOS session request with a source host of NULL,
which is incorrectly handled by Windows 95/98 hosts.
--
Affected Systems: Windows 95 and Windows 98 hosts.
--
Attack Scenarios: An attacker can crash critical machines, thereby
preventing them from being accessed by legitimate clients.
--
Ease of Attack: Easy.  Exploit code is widely available.
--
False Positives: All packets towards port 139/TCP which contain the
strings "BEAVIS" and "yep yep".
--
False Negatives: Potential future versions of this exploit, which use
different message strings, will not be detected by this signature.
--
Corrective Action:  There are no patches available from the vendor,
Microsoft.  We advise you to block inbound traffic to port 139/TCP from
all untrusted networks & hosts, and to upgrade critical machines to a more
recent version of Microsoft Windows.
--
Contributors:
Documentation contributed by Maarten Van Horenbeeck (maarten at ...2078...)
--
Additional References:
<a href="http://www.securityfocus.com/bid/1163">BID-1163</a> - Microsoft
Windows 9x NetBIOS NULL Name Vulnerability
<a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347">CVE-2000-0347</a>
- Windows 95 and Windows 98 allow a remote attacker to cause a denial of
service via a NetBIOS session request packet with a NULL source name


Best regards,
Maarten

--
Maarten Van Horenbeeck
maarten at ...2078...




More information about the Snort-sigs mailing list