HighRealSecure Desktop, Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature looks for a specially-crafted MSRPC MSDNS Request that is used to conduct a buffer overflow.
High
RealSecure Desktop: eqe, Proventia Desktop: 1990, Proventia Network IPS: XPU 1.98, RealSecure Network: XPU 24.59, RealSecure Server Sensor: XPU 24.59, BlackICE PC Protection: 3.6cqe, BlackICE Server Protection: 3.6.cqe, Proventia Network MFS: XPU 1.98, IBM Security Server Protection for Windows: 1.0.914.1990, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia-G 1.1 and earlier: XPU 24.59, Proventia Network IDS: XPU 24.59, Proventia Server IPS for Linux technology: 1.99, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4 Server, Microsoft Windows 2003 Server: SP1 x64, Microsoft Windows 2003 Server: SP1, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64
Unauthorized Access Attempt
The Microsoft Windows Domain Name System (DNS) Server is vulnerable to a stack-based buffer overflow in the RPC interface. By sending a specially-crafted Remote Procedure Call (RPC) packet to a vulnerable system, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-029. See References.
Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
http://www.microsoft.com/technet/security/advisory/935964.mspx
Microsoft Knowledge Base Article 935964
Microsoft Security Advisory: A vulnerability in RPC in the Windows DNS Server service could allow remote code execution
http://support.microsoft.com/kb/935964
Microsoft Security Response Center Blog, Thursday, April 12, 2007 8:56 PM
Microsoft Security Advisory 935964 Posted
http://blogs.technet.com/msrc/archive/2007/04/12/microsoft-security-advisory-935964-posted.aspx
Microsoft Security Bulletin MS07-029
Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
ISS X-Force
Microsoft Windows DNS Server RPC interface buffer overflow
http://www.iss.net/security_center/static/33629.php
CVE
CVE-2007-1748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748