HighProventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology, RealSecure Desktop, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware:
This signature looks for a specially-crafted MSRPC MSDNS Request that is used to conduct a buffer overflow.
High
Proventia Network MFS: XPU 1.98, IBM Security Server Protection for Windows: 1.0.914.1990, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 24.59, Proventia-G 1.1 and earlier: XPU 24.59, BlackICE PC Protection: 3.6cqe, BlackICE Server Protection: 3.6.cqe, RealSecure Network: XPU 24.59, RealSecure Server Sensor: XPU 24.59, Proventia Server IPS for Linux technology: 1.99, RealSecure Desktop: eqe, Proventia Network IPS: XPU 1.98, Proventia Desktop: 1990, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4 Server, Microsoft Windows 2003 Server: SP1 x64, Microsoft Windows 2003 Server: SP1, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64
Unauthorized Access Attempt
The Microsoft Windows Domain Name System (DNS) Server is vulnerable to a stack-based buffer overflow in the RPC interface. By sending a specially-crafted Remote Procedure Call (RPC) packet to a vulnerable system, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-029. See References.
Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
http://www.microsoft.com/technet/security/advisory/935964.mspx
Microsoft Knowledge Base Article 935964
Microsoft Security Advisory: A vulnerability in RPC in the Windows DNS Server service could allow remote code execution
http://support.microsoft.com/kb/935964
Microsoft Security Response Center Blog, Thursday, April 12, 2007 8:56 PM
Microsoft Security Advisory 935964 Posted
http://blogs.technet.com/msrc/archive/2007/04/12/microsoft-security-advisory-935964-posted.aspx
Microsoft Security Bulletin MS07-029
Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
ISS X-Force
Microsoft Windows DNS Server RPC interface buffer overflow
http://www.iss.net/security_center/static/33629.php
CVE
CVE-2007-1748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748