Snort mailing list archives

Re: Microsoft DCOM RPC Worm Alert

From: Brian <bmc () snort org>
Date: Thu, 28 Aug 2003 11:24:15 -0400

On Tue, Aug 12, 2003 at 11:56:26AM -0400, David wrote:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \
content:!"|5C|"; within:32;\
flow:to_server,established; \
reference:bugtraq,8205; rev: 1;)


This rule is easily evadable.

Sure, the vulnerability is predicated by an overly long path.  That 
doesn't mean the service validates the path before it attempts to deal
with it.  Take any of the exploits and change the path from 
\\[lotsocrap]\C$\123456111111111111111.doc to random crap and it will
still crash the service.

-brian


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Microsoft DCOM RPC Worm Alert IntegPatchMgr (Aug 12)
- <Possible follow-ups>
- RE: Microsoft DCOM RPC Worm Alert Slighter, Tim (Aug 12)
  - Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
    - Re: Microsoft DCOM RPC Worm Alert Sam Evans (Aug 12)
  - Re: Microsoft DCOM RPC Worm Alert Simon Gray (Aug 12)
  - Re: Microsoft DCOM RPC Worm Alert Bruno Saverio Delbono (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert Robert Reid (Aug 12)
  - RE: Microsoft DCOM RPC Worm Alert Erek Adams (Aug 12)
  - Re: Microsoft DCOM RPC Worm Alert Patrick Dolan (Aug 12)
- RE: Microsoft DCOM RPC Worm Alert David (Aug 12)
  - Re: Microsoft DCOM RPC Worm Alert Brian (Aug 28)
- RE: Microsoft DCOM RPC Worm Alert Esler, Joel Contractor (Aug 13)
- RE: Microsoft DCOM RPC Worm Alert John Creegan (Aug 13)