SMB: NetDDE Long Share Name Buffer Overflow

This signature detects attempts to exploit a known vulnerability against the share name resource in Windows Network Dynamic Data Exchange connections. All Microsoft Windows platforms that support NetDDE are vulnerable. Attackers can send a crafted NetDDE request to overflow a buffer in the Windows DDE service and execute arbitrary code.

Extended Description

Microsoft Windows NetDDE is affected by a remote buffer-overflow vulnerability because the application fails to properly verify the lengths of strings contained within unspecified network messages before copying them into finite buffers. Note that NetDDE is not activated by default on Windows computers. An attacker may leverage this issue to execute arbitrary code on an affected computer with SYSTEM privileges. In some circumstances, where NetDDE services have been installed but not started, local attackers might exploit this issue to gain elevated privileges because an unprivileged user may start the services. ** UPDATE: NGSSoftware has released a preliminary advisory for this issue, announcing that technical details will be withheld until January 19, 2005. ** UPDATE: Immunity Research has reported that a remote attacker may require authentication before exploiting this vulnerability. Further details of this report can be found in the referenced message "ms04-031 pre-auth ??".

Affected Products

Avaya s8100_media_servers,Microsoft windows_xp_media_center_edition

References

BugTraq: 11372

CVE: CVE-2004-0206

URL: http://www.microsoft.com/technet/security/bulletin/MS04-031.mspx http://www.kb.cert.org/vuls/id/640488

Short Name

SMB:NETDDE-SHARE-OF

Severity

Major

Recommended

False

Recommended Action

Drop

SMB: NetDDE Long Share Name Buffer Overflow

Extended Description

Affected Products

References

Found a potential security threat?