[Snort-sigs] sid: 1239
Maarten Van Horenbeeck
maarten at ...2078...
Tue Dec 30 07:50:10 EST 2003
Rule: NETBIOS RFParalyze Attempt
Summary: This signature triggers upon execution of the RFParalyze DoS
Impact: If the destination machine is vulnerable, it may start behaving
unpredictably. Succesful exploitation may lead to a full system crash or
may cause certain services to become unavailable.
Detailed Information: This signature triggers on execution of RFParalyze,
an exploit written in 2000 by Rain Forest Puppy. It was based on a binary
exploit called "whisper", which was used in the wild at that time. This
exploit performs a NetBIOS session request with a source host of NULL,
which is incorrectly handled by Windows 95/98 hosts.
Affected Systems: Windows 95 and Windows 98 hosts.
Attack Scenarios: An attacker can crash critical machines, thereby
preventing them from being accessed by legitimate clients.
Ease of Attack: Easy. Exploit code is widely available.
False Positives: All packets towards port 139/TCP which contain the
strings "BEAVIS" and "yep yep".
False Negatives: Potential future versions of this exploit, which use
different message strings, will not be detected by this signature.
Corrective Action: There are no patches available from the vendor,
Microsoft. We advise you to block inbound traffic to port 139/TCP from
all untrusted networks & hosts, and to upgrade critical machines to a more
recent version of Microsoft Windows.
Original rule writer unknown
Maarten Van Horenbeeck (maarten at ...2078...)
<a href="http://www.securityfocus.com/bid/1163">BID-1163</a> - Microsoft
Windows 9x NetBIOS NULL Name Vulnerability
- Windows 95 and Windows 98 allow a remote attacker to cause a denial of
service via a NetBIOS session request packet with a NULL source name
More information about the Snort-sigs