[Snort-users] Explanation of Rule 1:19189:4

Joel Esler jesler at ...1935...
Tue Jan 29 10:52:08 EST 2013


Here's the text from the CVE:

The Distributed File System (DFS) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote DFS servers to cause a denial of service (system hang) via a crafted referral response, aka "DFS Referral Response Vulnerability."

The way to look at this is, is your system(s) patched against this vulnerability, if so, then, what is causing the traffic to take place on the network?  What process?  Why?

The destination box is the one you want to be aware of.  

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Jan 29, 2013, at 8:28 AM, Nicholas Horton <fivetenets at ...14399...> wrote:

> Thanks Rmkml. 
> 
> I don't have a pcap at this time but can record one.  What I do have is 2 alerts from 2 different sources going to the same destination ip generating this alert.
> 
> Sources are windows 2003 server titanium and the destination is a xp pro box.
> 
> Both sources seem to already have patch KB2535512 installed. I'm not sure about the destination ip box.
> 
> I would like to see who has the vulnerability or where the issues is. For example when I get another netbios alert such as 1:14782 (conficker) I'm able to verify with nmap that it has the conficker infection.
> 
> So with the new netbios alert is there a possible infection. It lists no know false positives. So if both sources have the patch should I check the destination since this rule is flow to client?
> 
> I read CVE-2011-1869 but I'm still not sure if this is an issue or not.
> 
> I guess I should turn of pcap output along with unified2. I can do both simultaneously right?
> 
> Thanks again
> Nick
> 
> On Jan 29, 2013, at 7:50 AM, rmkml <rmkml at ...1855...> wrote:
> 
>> Hi Nicholas,
>> 
>> This rule are renamed on rev 5 to "OS-WINDOWS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt"
>> 
>> CVE:
>> The Distributed File System (DFS) implementation in Microsoft Windows
>> XP SP2 and SP3 and Server 2003 SP2 does not properly validate fields
>> in DFS responses, which allows remote DFS servers to execute arbitrary
>> code via a crafted response, aka "DFS Memory Corruption
>> Vulnerability."
>> 
>> Please post pcap if you have FP.
>> 
>> Best Regards
>> Rmkml
>> 
>> 
>> On Tue, 29 Jan 2013, Nicholas Horton wrote:
>> 
>>> What is important to check with this alert?
>>> 
>>> Does the vulnerability reside on the source or destination and what am I looking for?
>>> 
>>> I saw on the source ip of this alert that it looks like it had installed KB2535512 back in June 2011.
>>> 
>>> Thanks
>>>> 
>>>> alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt";
>> flow:established,to_client; flowbits:isset,smb.trans2.get_dfs_referral; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4;
>> content:"|00 00 00 00|"; within:4; byte_test:2,>,0xFFFD,47,little,relative; flowbits:unset,smb.trans2.get_dfs_referral;
>> metadata:policy security-ips drop, service netbios-ssn; reference:cve,2011-1868; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-042; classtype:attempted-admin; sid:19189; rev:4;)
>>>> 
> 
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130129/cd2429d4/attachment.html>


More information about the Snort-users mailing list