[Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276

Nigel Houghton nigel at ...435...
Thu Jun 30 19:28:46 EDT 2005


On  0, Russell Fulton <r.fulton at ...575...> allegedly wrote:
> 
> 
> Joel Esler wrote:
> >Are you sure this is a false positive?  The Signature is lookin for  the 
> >little endian bind in RPC..  This looks to be that.
> >
> 
> Hi Joel,
> 	Thanks for checking this out. I freely admit I would not reconise 
> 	a "little endian bind in RPC" if it danced naked in front of me 
> 	singing "Waltzing Matilda" :) as one of my colleagues used to say 
> 	-- usually in reference to managers.
> 
> I do know that this is legit traffic, and since this rule does not have 
> any documentation that I can find I'm at a loss to know what to make of 
> it.  I may as well disable the rule. AFAIK both machines are windows 
> boxes. 
> Russell.

First, a real packet capture sent to research at sourcefire.com or any one 
of us on the VRT would certainly help tune the rule if it is a false
positive.

Now, not to beat everyone who "can't find documentation" over the head with
this, but it's getting old...

 # cd /path/to/snort/source/snort/doc/signatures
 # less 3276.txt

 <snip>

 Summary:
 This rule generates an event when an attempt is made to exploit a known
 vulnerability in Microsoft RPC DCOM.

 --
 Impact:
 Execution of arbitrary code leading to full administrator access of the
 machine. Denial of Service (DoS).

 --
 Detailed Information:
 A vulnerability exists in Microsoft RPC DCOM such that execution of 
 arbitrary code or a Denial of Service condition can be issued against a
 host by sending malformed data via RPC.

 The Distributed Component Object Model (DCOM) handles DCOM requests
 sent by clients to a server using RPC. A malformed request to an RPC 
 port will result in a buffer overflow condition that will present the 
 attacker with the opportunity to execute arbitrary code with the 
 privileges of the local system account.

 --
 Affected Systems:
	Windows NT 4.0
	Windows NT 4.0 Terminal Server Edition
	Windows 2000
	Windows XP
	Windows Server 2003

 <snip>

If it's not on snort.org, tell us about that too, we can probably fix
it.

__EOT__

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!




More information about the Snort-sigs mailing list