HighIBM Security Server Protection for Windows, Proventia Network MFS, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, RealSecure Network, RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, Proventia Network IPS, RealSecure Desktop, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects requests to Microsoft Server Service operations 31 and 35 designed to conduct buffer overflows.
High
IBM Security Server Protection for Windows: 1.0.914.1820, Proventia Network MFS: XPU 1.81, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 24.42, Proventia Desktop: 1820, Proventia-G 1.1 and earlier: XPU 24.42, RealSecure Network: XPU 24.42, RealSecure Server Sensor: XPU 24.42, BlackICE Server Protection: 3.6.cpn, BlackICE PC Protection: 3.6cpn, Proventia Network IPS: XPU 1.81, RealSecure Desktop: epn, Proventia Server IPS for Linux technology: 1.81, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000, Microsoft Windows 2000: SP1, Microsoft Windows 2000: SP2, Microsoft Windows 2000: SP3, Microsoft Windows XP: SP1, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: Itanium, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows 2003
Unauthorized Access Attempt
Microsoft Windows Server service is vulnerable to a buffer overflow. By sending a specially-crafted message to TCP port 139 or 445 on an affected system, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-040. See References.
For Windows 2000 prior to SP4:
Upgrade to Windows 2000 SP4 or later, and apply the patch listed in Microsoft Security Bulletin MS06-040. See References.
For Windows 2000 SP4 and Windows XP SP2:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-070. See References.
Note: Microsoft originally provided a workaround for this vulnerability in MS06-040, but it was superseded by the patch released with MS06-070.
Microsoft Security Bulletin MS06-040
Vulnerability In Server Service Could All Remote Code Execution (921883)
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
US-CERT Vulnerability Note VU#650769
Microsoft Windows Server service buffer overflow
http://www.kb.cert.org/vuls/id/650769
Internet Security Systems Protection Advisory August 8, 2006
Microsoft Server Service Buffer Overflow Vulnerability
http://xforce.iss.net/xforce/alerts/id/232
US-CERT Technical Cyber Security Alert TA06-220A
Microsoft Windows, Office, and Internet Explorer Vulnerabilities
http://www.us-cert.gov/cas/techalerts/TA06-220A.html
FrSIRT/ADV-2006-3210
Microsoft Windows Server Service Remote Code Execution Vulnerability (MS06-040)
http://www.frsirt.com/english/advisories/2006/3210
SA21388
Windows Server Service Buffer Overflow Vulnerability
http://secunia.com/advisories/21388/
Microsoft Knowledge Base Article 921883
MS06-040: Vulnerability in Server service could allow remote code execution
http://support.microsoft.com/kb/921883
cisco-sr-20060814-ms06-040-vulnerability
Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability
http://www.cisco.com/warp/public/707/cisco-sr-20060814-ms06-040-vulnerability.shtml
Microsoft Security Bulletin MS06-070
Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)
http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx
Offensive Security Exploit Database [02-11-2011]
Microsoft Server Service NetpwPathCanonicalize Overflow
http://www.exploit-db.com/exploits/16367/
ISS X-Force
Microsoft Windows Server service buffer overflow
http://www.iss.net/security_center/static/28002.php
CVE
CVE-2006-3439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439