SMB: Security Token Overflow
This protocol anomaly triggers when it detects an attempt to exploit a known vulnerability in Microsoft Windows through the Server Message Block protocol. Microsoft Windows NT, 2000, XP and 2003 contain a known flaw in the msasn1.dll library that can allow a remote attacker to trigger a buffer overflow on the affected system and overwrite heap memory space. An attacker can exploit this in multiple ways to execute arbitrary code on the system with System privileges.
Extended Description
A vulnerability has been reported in the Microsoft ASN.1 library. This issue is related to insufficient checking of data supplied via an externally supplied length field in ASN.1 BER encoded data. This could result in an excessive value being used in a heap allocation routine, allowing for large amounts of heap memory to be corrupted. This could be leveraged to corrupt sensitive values in memory, resulting in execution of arbitrary code. This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable.
Affected Products
Microsoft windows_98
Short Name
SMB:OF:SECUR-TOKEN-OVERFLOW
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
SMB
Keywords
CVE-2003-0818 MS04-007 bid:9633
Release Date
08/09/2006
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Intuit
Yahoo!
Aol
Microsoft
Vandyke
CVSS Score
7.5