NETBIOS: WINS Server Replication PTR Attack
This signature detects attempts to exploit a vulnerability in the Microsoft NetBIOS WINS server. A remote attacker can perform a brute-force attack against the server which, if successful, can result in code execution with SYSTEM privileges. The WINS server fails to validate the source IP of connections on TCP port 42 as coming from a configured replication client, so attacks are possible from any IP.
Extended Description
The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."
Affected Products
Microsoft windows_2000
Short Name
NETBIOS:WINS:REPLICATION-PTR
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
NETBIOS
Keywords
Attack CVE-2004-1080 PTR Replication Server WINS bid:11763
Release Date
11/27/2004
Supported Platforms
srx-branch-19.3
vsrx3bsd-19.2
srx-19.4
vsrx3bsd-19.4
srx-branch-19.4
vsrx-19.4
vsrx-19.2
srx-19.3
srx-branch-12.3
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx-12.3
vmx-19.3
srx-12.3
Sigpack Version
3761
Port
TCP/42
False Positive
Unknown
Vendors
Microsoft
CVSS Score
10.0