File: 2513.txt

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (68 lines) | stat: -rw-r--r-- 1,464 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
Rule:

--
Sid:
2513

--
Summary:
This event is generated when an attempt is made to exploit a buffer
overrun condition in Microsoft products via the Local Security Authority
Subsystem Service (LSASS).

--
Impact:
Remote execution of arbitrary code.

--
Detailed Information:
A vulnerability exists in LSASS that may present an attacker with the
opportunity to execute code of their choosing on an affected host.

The problem lies in an unchecked buffer in the LSASS service, suscessful
exploitation may present the attacker with the opportunity to gain
control of the affected system.

--
Affected Systems:
	Microsoft Windows 2000, 2003 and XP systems.

--
Attack Scenarios:
An attcker needs to make a specially crafted request to the LSASS
service that could contain harmful code to gain further access to the
system.

--
Ease of Attack:
Moderate.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Apply the appropriate vendor supplied patches

Use a packet filtering firewall to deny access to TCP and UDP ports 135
and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources
outside the protected network.

Access should also be denied to ephemeral ports and any other ports used
by RPC services from sources external to the protected network.

--
Contributors:
Sourcefire Research Team
Matt Watchinski <mwatchinski@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--