WORM: Sasser FTP Server Buffer Overflow Attempt
This signature detects attempts to exploit a known vulnerability against the FTP server installed by the Sasser worm. A successful attack can create a buffer overflow leading to a denial of service.
Extended Description
Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. The specific vulnerable system component is LSASRV.DLL. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise. This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk as the administrator will likely already have complete control over the system.
Affected Products
Avaya s8100_media_servers,Microsoft windows_xp_64-bit_edition_version_2003
References
BugTraq: 10108
CVE: CVE-2003-0533
URL: http://www.kb.cert.org/vuls/id/753212 http://secunia.com/virus_information/9142/sasser/ http://www.lurhq.com/sasser.html
Short Name
WORM:SASSER:FTP-SRV-OVERFLOW
Severity
Major
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
Attempt Buffer CVE-2003-0533 FTP Overflow Sasser Server bid:10108
Release Date
05/05/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/5554
False Positive
Unknown
Vendors
Microsoft
Avaya
CVSS Score
7.5