[Snort-sigs] False +VE for NETBIOS DCERPC IActivation little endian bind attempt,Sig ID,3276

Nigel Houghton nigel at ...435...
Thu Jun 30 19:28:46 EDT 2005

On  0, Russell Fulton <r.fulton at ...575...> allegedly wrote:
> Joel Esler wrote:
> >Are you sure this is a false positive?  The Signature is lookin for  the 
> >little endian bind in RPC..  This looks to be that.
> >
> Hi Joel,
> 	Thanks for checking this out. I freely admit I would not reconise 
> 	a "little endian bind in RPC" if it danced naked in front of me 
> 	singing "Waltzing Matilda" :) as one of my colleagues used to say 
> 	-- usually in reference to managers.
> I do know that this is legit traffic, and since this rule does not have 
> any documentation that I can find I'm at a loss to know what to make of 
> it.  I may as well disable the rule. AFAIK both machines are windows 
> boxes. 
> Russell.

First, a real packet capture sent to research at sourcefire.com or any one 
of us on the VRT would certainly help tune the rule if it is a false

Now, not to beat everyone who "can't find documentation" over the head with
this, but it's getting old...

 # cd /path/to/snort/source/snort/doc/signatures
 # less 3276.txt


 This rule generates an event when an attempt is made to exploit a known
 vulnerability in Microsoft RPC DCOM.

 Execution of arbitrary code leading to full administrator access of the
 machine. Denial of Service (DoS).

 Detailed Information:
 A vulnerability exists in Microsoft RPC DCOM such that execution of 
 arbitrary code or a Denial of Service condition can be issued against a
 host by sending malformed data via RPC.

 The Distributed Component Object Model (DCOM) handles DCOM requests
 sent by clients to a server using RPC. A malformed request to an RPC 
 port will result in a buffer overflow condition that will present the 
 attacker with the opportunity to execute arbitrary code with the 
 privileges of the local system account.

 Affected Systems:
	Windows NT 4.0
	Windows NT 4.0 Terminal Server Edition
	Windows 2000
	Windows XP
	Windows Server 2003


If it's not on snort.org, tell us about that too, we can probably fix


     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!

More information about the Snort-sigs mailing list