HighProventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE Server Protection, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Server Sensor, RealSecure Network, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects a specially-crafted DNS response message that could allow a remote attacker to execute arbitrary code on the system.
Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: Valid DNS responses may trigger this signature. This traffic is dangerous only if it is forwarded to a server running vulnerable software.
High
Proventia Desktop: 8.0.614.1, Proventia Network IDS: XPU 22.34, Proventia-G 1.1 and earlier: XPU 22.34, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: XPU 1.33, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, BlackICE Agent for Server: 3.6eof, RealSecure Server Sensor: XPU 22.34, RealSecure Network: XPU 22.34, RealSecure Desktop: baseline, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.0
Microsoft Windows 2000, Microsoft Exchange Server: 2000, Microsoft Windows XP: 2003 x64, Microsoft Windows 2003 Server: x64, Microsoft Windows 2003 Server, Microsoft Exchange Server: 2003 SP1, Microsoft Exchange Server: 2000 SP3, Microsoft Exchange Server: 2003
Unauthorized Access Attempt
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Windows Server 2003 Simple Mail Transfer Protocol (SMTP) service, which is not installed by default on Windows Server 2003, Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003. By sending a specially-crafted DNS response message, a remote attacker could execute arbitrary code on the system.
For vulnerability detection:
Enable the following checks in the ISS Protection Platform:
WinMs04035Patch
Enable the following checks in the Dynamic ISS Protection platform:
DNS_Windows_SMTP_Overflow
For Manual Protection:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-035. See References.
For Microsoft Exchange 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-021. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS04-035, but it was superseded by the patch released with MS05-021.
CIAC Information Bulletin P-005
Windows SMTP Vulnerability could Allow Remote Code Execution
http://www.ciac.org/ciac/bulletins/p-005.shtml
CERT Vulnerability Note VU#394792
Microsoft Windows SMTP component vulnerable to remote code execution
http://www.kb.cert.org/vuls/id/394792
Microsoft Security Bulletin MS04-035
Vulnerability in SMTP Service Could Allow Code Execution (885881)
http://www.microsoft.com/technet/security/bulletin/ms04-035.mspx
Microsoft Security Bulletin MS05-021
Vulnerability in Exchange Server Could Allow Remote Code Execution (894549)
http://www.microsoft.com/technet/security/bulletin/ms05-021.mspx
ISS X-Force
Microsoft Windows 2003 SMTP service code execution
http://www.iss.net/security_center/static/17621.php
CVE
CVE-2004-0840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0840