SID 3199

Msg

"EXPLOIT WINS name query overflow attempt TCP"

Summary

This rule generates an event when an attempt is made to exploit a known vulnerability in Microsoft WINS.

Classtype

attempted-admin

Impact

Execution of arbitrary code leading to full administrator access of the machine. Denial of Service (DoS).

Detailed Information

A vulnerability exists in Microsoft WINS such that execution of arbitrary code or a Denial of Service condition can be issued against a host by sending malformed data.

Affected Systems

  • Windows NT 4.0
  • Windows NT 4.0 Terminal Server Edition
  • Windows 2000
  • Windows Server 2003

Attack Scenarios

An attacker would need to send multiple malformed request to the WINS service running on a host.

Ease Of Attack

Simple. Expoit code exists.

False Positives

None known.

False Negatives

None known.

Corrective Action

Apply the appropriate vendor supplied patches.

Uninstall the WINS service.

Contributors

  • Sourcefire Vulnerability Research Team
  • Brian Caswell
  • Nigel Houghton