[Snort-sigs] SID 1239: NetBIOS RFParalyze Attempt (documentation)

Maarten Van Horenbeeck maarten at ...2078...
Mon Dec 22 15:21:01 EST 2003

Dear Moderator,

Please discard my previous three e-mails which were sent before actually
subscribing to this list.  They contain the same content, and do not offer
any improvements on the documentation presented below.

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule: NETBIOS RFParalyze Attempt
Sid: 1239
Summary: This signature triggers upon execution of the RFParalyze DoS
Impact: If the destination machine is vulnerable, it may start behaving
unpredictably.  Succesful exploitation may lead to a full system crash or
may cause certain services to become unavailable.
Detailed Information: This signature triggers on execution of RFParalyze,
an exploit written in 2000 by Rain Forest Puppy.  It was based on a binary
exploit called "whisper", which was used in the wild at that time.  This
exploit performs a NetBIOS session request with a source host of NULL,
which is incorrectly handled by Windows 95/98 hosts.
Affected Systems: Windows 95 and Windows 98 hosts.
Attack Scenarios: An attacker can crash critical machines, thereby
preventing them from being accessed by legitimate clients.
Ease of Attack: Easy.  Exploit code is widely available.
False Positives: All packets towards port 139/TCP which contain the
strings "BEAVIS" and "yep yep".
False Negatives: Potential future versions of this exploit, which use
different message strings, will not be detected by this signature.
Corrective Action:  There are no patches available from the vendor,
Microsoft.  We advise you to block inbound traffic to port 139/TCP from
all untrusted networks & hosts, and to upgrade critical machines to a more
recent version of Microsoft Windows.
Documentation contributed by Maarten Van Horenbeeck (maarten at ...2078...)
Additional References:
<a href="http://www.securityfocus.com/bid/1163">BID-1163</a> - Microsoft
Windows 9x NetBIOS NULL Name Vulnerability
- Windows 95 and Windows 98 allow a remote attacker to cause a denial of
service via a NetBIOS session request packet with a NULL source name

Best regards,

Maarten Van Horenbeeck
maarten at ...2078...

More information about the Snort-sigs mailing list