Rule:  

--
Sid:
2252

--
Summary:
This event is generated when an attempt is made to exploit a known
vulnerablity in Microsoft RPCSS service for RPC.

--
Impact:
Denial of Service. Possible execution of arbitrary code leading to
unauthorized remote administrative access.

--
Detailed Information:
A vulnerability exists in Microsoft RPCSS Service that handles RPC DCOM
requests such that execution of arbitrary code or a Denial of Service 
condition can be issued against a host by sending malformed data via RPC.

The Distributed Component Object Model (DCOM) handles DCOM requests sent
by clients to a server using RPC. A malformed request to the host
running the RPCSS service may result in a buffer overflow condition that
will present the attacker with the opportunity to execute arbitrary code
with the privileges of the local system account. Alternatively the
attacker could also cause the RPC service to stop answering RPC requests
and thus cause a Denial of Service condition to occur.

--
Affected Systems:
	Windows NT 4.0 Workstation and Server
	Windows NT 4.0 Terminal Server Edition
	Windows 2000
	Windows XP
	Windows Server 2003

--
Attack Scenarios:
An attacker may make a DCERPC bind request followed by a malicious
DCERPC DCOM remote activation request.

--
Ease of Attack:
Simple. Expoit code exists.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Apply the appropriate vendor supplied patches.

Block access to RPC ports 135, 139, 445 and 593 for both TCP and UDP 
protocols from external sources using a packet filtering firewall.

Disallow the use of RPC over HTTP and HTTPS.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

eEye:
http://www.eeye.com/html/Research/Advisories/AD20030910.html

--