[Snort-users] Explanation of Rule 1:19189:4
rmkml at ...1855...
Tue Jan 29 07:50:12 EST 2013
This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"
The Distributed File System (DFS) implementation in Microsoft Windows
XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields
in DFS responses, which allows remote DFS servers to execute arbitrary
code via a crafted response, aka "DFS Memory Corruption
Please post pcap if you have FP.
On Tue, 29 Jan 2013, Nicholas Horton wrote:
> What is important to check with this alert?
> Does the vulnerability reside on the source or destination and what am I looking for?
> I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.
>> alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";
flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4;
content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral;
metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)
More information about the Snort-users