HighProventia Desktop, Proventia Network IDS, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, BlackICE PC Protection, Proventia Network MFS, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology, RealSecure Desktop:
This signature detects requests to Microsoft Server Service operations 31 and 35 designed to conduct buffer overflows.
High
Proventia Desktop: 1820, Proventia Network IDS: XPU 24.42, Proventia Network IPS: XPU 1.81, Proventia-G 1.1 and earlier: XPU 24.42, Proventia Server IPS for Microsoft Windows technology: 1.0.914.1820, BlackICE Server Protection: 3.6.cpn, BlackICE PC Protection: 3.6cpn, Proventia Network MFS: XPU 1.81, RealSecure Network: XPU 24.42, RealSecure Server Sensor: XPU 24.42, Proventia Server IPS for Linux technology: 1.81, RealSecure Desktop: epn
Microsoft Windows 2000, Microsoft Windows 2000: SP1, Microsoft Windows 2000: SP2, Microsoft Windows 2000: SP3, Microsoft Windows XP: SP1, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: Itanium, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: Professional x64, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows 2003
Unauthorized Access Attempt
Microsoft Windows Server service is vulnerable to a buffer overflow. By sending a specially-crafted message to TCP port 139 or 445 on an affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-040. See References.
For Windows 2000 prior to SP4:
Upgrade to Windows 2000 SP4 or later, and apply the patch listed in Microsoft Security Bulletin MS06-040. See References.
For Windows 2000 SP4 and Windows XP SP2:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-070. See References.
Note: Microsoft originally provided a workaround for this vulnerability in MS06-040, but it was superseded by the patch released with MS06-070.
Microsoft Security Bulletin MS06-040
Vulnerability In Server Service Could All Remote Code Execution (921883)
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
US-CERT Vulnerability Note VU#650769
Microsoft Windows Server service buffer overflow
http://www.kb.cert.org/vuls/id/650769
Internet Security Systems Protection Advisory August 8, 2006
Microsoft Server Service Buffer Overflow Vulnerability
http://xforce.iss.net/xforce/alerts/id/232
US-CERT Technical Cyber Security Alert TA06-220A
Microsoft Windows, Office, and Internet Explorer Vulnerabilities
http://www.us-cert.gov/cas/techalerts/TA06-220A.html
FrSIRT/ADV-2006-3210
Microsoft Windows Server Service Remote Code Execution Vulnerability (MS06-040)
http://www.frsirt.com/english/advisories/2006/3210
SA21388
Windows Server Service Buffer Overflow Vulnerability
http://secunia.com/advisories/21388/
Microsoft Knowledge Base Article 921883
MS06-040: Vulnerability in Server service could allow remote code execution
http://support.microsoft.com/kb/921883
cisco-sr-20060814-ms06-040-vulnerability
Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability
http://www.cisco.com/warp/public/707/cisco-sr-20060814-ms06-040-vulnerability.shtml
Microsoft Security Bulletin MS06-070
Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)
http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx
ISS X-Force
Microsoft Windows Server service buffer overflow
http://www.iss.net/security_center/static/28002.php
CVE
CVE-2006-3439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439