[Snort-sigs] sid: 1239

Maarten Van Horenbeeck maarten at ...2078...
Tue Dec 30 07:50:10 EST 2003


Rule: NETBIOS RFParalyze Attempt

--
Sid: 1239

--
Summary: This signature triggers upon execution of the RFParalyze DoS
exploit.

--
Impact: If the destination machine is vulnerable, it may start behaving
unpredictably.  Succesful exploitation may lead to a full system crash or
may cause certain services to become unavailable.

--
Detailed Information: This signature triggers on execution of RFParalyze,
an exploit written in 2000 by Rain Forest Puppy.  It was based on a binary
exploit called "whisper", which was used in the wild at that time.  This
exploit performs a NetBIOS session request with a source host of NULL,
which is incorrectly handled by Windows 95/98 hosts.

--
Affected Systems: Windows 95 and Windows 98 hosts.

--
Attack Scenarios: An attacker can crash critical machines, thereby
preventing them from being accessed by legitimate clients.

--
Ease of Attack: Easy.  Exploit code is widely available.

--
False Positives: All packets towards port 139/TCP which contain the
strings "BEAVIS" and "yep yep".

--
False Negatives: Potential future versions of this exploit, which use
different message strings, will not be detected by this signature.

--
Corrective Action:  There are no patches available from the vendor,
Microsoft.  We advise you to block inbound traffic to port 139/TCP from
all untrusted networks & hosts, and to upgrade critical machines to a more
recent version of Microsoft Windows.

--
Contributors:
Original rule writer unknown
Maarten Van Horenbeeck (maarten at ...2078...)

-- 
Additional References:
<a href="http://www.securityfocus.com/bid/1163">BID-1163</a> - Microsoft
Windows 9x NetBIOS NULL Name Vulnerability
<a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0347">CVE-2000-0347</a>
- Windows 95 and Windows 98 allow a remote attacker to cause a denial of
service via a NetBIOS session request packet with a NULL source name




More information about the Snort-sigs mailing list