HighRealSecure Desktop, RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Agent for Server, BlackICE PC Protection, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop:
This signature detects a specially-crafted DNS response message that could allow a remote attacker to execute arbitrary code on the system.
RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop: Valid DNS responses may trigger this signature. This traffic is dangerous only if it is forwarded to a server running vulnerable software.
High
RealSecure Desktop: baseline, RealSecure Network: XPU 22.34, RealSecure Server Sensor: XPU 22.34, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Agent for Server: 3.6eof, BlackICE PC Protection: 3.6cpa, Proventia Network MFS: XPU 1.33, Proventia Network IDS: XPU 22.34, Proventia-G 1.1 and earlier: XPU 22.34, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1
Microsoft Windows 2000, Microsoft Exchange Server: 2000, Microsoft Windows XP: 2003 64-bit, Microsoft Windows 2003 Server: x64, Microsoft Windows 2003 Server, Microsoft Exchange Server: 2003 SP1, Microsoft Exchange Server: 2000 SP3, Microsoft Exchange Server: 2003
Unauthorized Access Attempt
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Windows Server 2003 Simple Mail Transfer Protocol (SMTP) service, which is not installed by default on Windows Server 2003, Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003. By sending a specially-crafted DNS response message, a remote attacker could execute arbitrary code on the system.
For vulnerability detection:
Enable the following checks in the ISS Protection Platform:
WinMs04035Patch
Enable the following checks in the Dynamic ISS Protection platform:
DNS_Windows_SMTP_Overflow
For Manual Protection:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-035. See References.
For Microsoft Exchange 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-021. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS04-035, but it was superseded by the patch released with MS05-021.
CIAC Information Bulletin P-005
Windows SMTP Vulnerability could Allow Remote Code Execution
http://www.ciac.org/ciac/bulletins/p-005.shtml
CERT Vulnerability Note VU#394792
Microsoft Windows SMTP component vulnerable to remote code execution
http://www.kb.cert.org/vuls/id/394792
Microsoft Security Bulletin MS04-035
Vulnerability in SMTP Service Could Allow Code Execution (885881)
http://www.microsoft.com/technet/security/bulletin/ms04-035.mspx
Microsoft Security Bulletin MS05-021
Vulnerability in Exchange Server Could Allow Remote Code Execution (894549)
http://www.microsoft.com/technet/security/bulletin/ms05-021.mspx
ISS X-Force
Microsoft Windows 2003 SMTP service code execution
http://www.iss.net/security_center/static/17621.php
CVE
CVE-2004-0840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0840