MS-RPC: DCOM Exploit (3)
This signature detects attempts to exploit a known vulnerability in Microsoft Windows Remote Procedure Call (RPC) system. Windows 2000 and XP are vulnerable. RPC is an operating system component that enables remote computers to request actions or services. For example, file and print sharing from the local Windows system. Attackers, using dcom.c can send too much data to the RPC process, causing the local system to grant full access to the remote computer. The W32.Blaster and Nachi/Welchia worms can also be detected or blocked using this signature.
Extended Description
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
Affected Products
Microsoft windows_2000
References
BugTraq: 8205
CVE: CVE-2003-0352
URL: http://www.kb.cert.org/vuls/id/568148 http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Short Name
MS-RPC:DCOM:EXPLOIT-3
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
MS-RPC
Keywords
(3) CA-2003-19 CVE-2003-0352 DCOM Exploit bid:8205
Release Date
02/01/2006
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3761
False Positive
Unknown
Vendors
Microsoft
CVSS Score
7.5