NETBIOS: ASN.1 Malformed BER Encoding Overflow

This signature detects a malformed BER-encoded ASN.1 region in a NTLM session request message. A known vulnerability exists in certain versions of Microsoft Windows that can result in a denial of service (DoS) or remote code execution as SYSTEM.

Extended Description

Microsoft ASN.1 handling library has been reported prone to an integer overflow vulnerability that may result in arbitrary heap-based memory corruption. The issue presents itself in the ASN.1 BER decoding/encoding routines. Exploitation of this issue will result in the corruption of heap based management structures, and may ultimately be leveraged by an attacker to have arbitrary code executed in the context of the affected process. This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable.

Affected Products

Microsoft windows_98

References

BugTraq: 9635

CVE: CVE-2003-0818

URL: http://microsoft.com/technet/security/bulletin/MS04-007.asp http://www.us-cert.gov/cas/techalerts/TA04-041A.html http://www.securityfocus.com/bid/9633

Short Name

NETBIOS:OVERFLOW:ASN-1-BER

Severity

Critical

Recommended

False

Recommended Action

Drop

NETBIOS: ASN.1 Malformed BER Encoding Overflow

Extended Description

Affected Products

References

Found a potential security threat?