MS-RPC: DCOM Exploit
This signature detects attempts to exploit a known vulnerability in Microsoft Windows Remote Procedure Call (RPC) system. Windows 2000 and XP are vulnerable. RPC is an operating system component that enables remote computers to request actions or services. For example, file and print sharing from the local Windows system. Attackers can use dcom.c to send too much data to the RPC process, causing the local system to grant full access to the remote computer. Also, the W32.Blaster and Nachi/Welchia worms can be detected or blocked using this signature.
Extended Description
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
Affected Products
Microsoft windows_2000
Short Name
MS-RPC:DCOM:EXPLOIT
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
MS-RPC
Keywords
CA-2003-19 CVE-2003-0352 DCOM Exploit bid:8205
Release Date
07/30/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3761
False Positive
Unknown
Vendors
Microsoft
CVSS Score
7.5