[Snort-sigs] sid: 1239

Maarten Van Horenbeeck maarten at ...2078...
Tue Dec 30 07:50:10 EST 2003

Rule: NETBIOS RFParalyze Attempt

Sid: 1239

Summary: This signature triggers upon execution of the RFParalyze DoS

Impact: If the destination machine is vulnerable, it may start behaving
unpredictably.  Succesful exploitation may lead to a full system crash or
may cause certain services to become unavailable.

Detailed Information: This signature triggers on execution of RFParalyze,
an exploit written in 2000 by Rain Forest Puppy.  It was based on a binary
exploit called "whisper", which was used in the wild at that time.  This
exploit performs a NetBIOS session request with a source host of NULL,
which is incorrectly handled by Windows 95/98 hosts.

Affected Systems: Windows 95 and Windows 98 hosts.

Attack Scenarios: An attacker can crash critical machines, thereby
preventing them from being accessed by legitimate clients.

Ease of Attack: Easy.  Exploit code is widely available.

False Positives: All packets towards port 139/TCP which contain the
strings "BEAVIS" and "yep yep".

False Negatives: Potential future versions of this exploit, which use
different message strings, will not be detected by this signature.

Corrective Action:  There are no patches available from the vendor,
Microsoft.  We advise you to block inbound traffic to port 139/TCP from
all untrusted networks & hosts, and to upgrade critical machines to a more
recent version of Microsoft Windows.

Original rule writer unknown
Maarten Van Horenbeeck (maarten at ...2078...)

Additional References:
<a href="http://www.securityfocus.com/bid/1163">BID-1163</a> - Microsoft
Windows 9x NetBIOS NULL Name Vulnerability
- Windows 95 and Windows 98 allow a remote attacker to cause a denial of
service via a NetBIOS session request packet with a NULL source name

More information about the Snort-sigs mailing list