HighProventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects a malicious SMB Copy Request
High
Proventia Network IPS: XPU 30.020, Proventia Desktop: 2480, RealSecure Server Sensor: XPU 30.020, RealSecure Network: XPU 30.020, Proventia Network IDS: XPU 30.020, Proventia-G 1.1 and earlier: XPU 30.020, Proventia Network MFS: XPU 30.020, IBM Security Server Protection for Windows: 2.1.14.2480, IBM Security Server Protection for Windows: 2.0.300.2480, Proventia Server IPS for Linux technology: 30.020, Virtual Server Protection for Vmware: XPU 30.020
Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
Microsoft Windows could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the improper handling of malicious SMB responses within the pathname by the Microsoft Server Message Block (SMB) Protocol software. By sending a specially-crafted SMB packet to a computer connected to an SMB Server, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS10-012
Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
http://www.microsoft.com/technet/security/bulletin/ms10-012.mspx
IBM Internet Security Systems Protection Alert
Microsoft Windows SMB Server Remote Code Execution
http://www.iss.net/threats/361.html
Microsoft Security Bulletin MS10-054
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
http://www.microsoft.com/technet/security/bulletin/ms10-054.mspx
Microsoft Security Bulletin MS11-020
Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
http://www.microsoft.com/technet/security/bulletin/ms11-020.mspx
ISS X-Force
Microsoft Windows SMB pathname code execution
http://www.iss.net/security_center/static/55906.php
CVE
CVE-2010-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0020