HighIBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects specially crafted requests to Microsoft Server Service operations NetPathCanonicalize (31) and NetrPathCompare (32). Malicious constructs in the path name values can lead to a buffer overflow and code execution.
This signature detects specially crafted requests to Microsoft Server Service operations 31 and 32 path values designed to conduct buffer overflows.
High
IBM Security Server Protection for Windows: 2.0.300.2300, BlackICE Server Protection: 3.6.crj, IBM Security Server Protection for Windows: 1.0.914.2300, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 28.160, Proventia Network MFS: XPU 28.160, Proventia-G 1.1 and earlier: XPU 28.160, RealSecure Network: XPU 28.160, RealSecure Server Sensor: XPU 28.160, BlackICE PC Protection: 3.6crj, Proventia Desktop: 2300, Proventia Network IPS: XPU 28.160, Proventia Server IPS for Linux technology: 28.160, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3
Unauthorized Access Attempt
Microsoft Windows Server Service could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the Remote Procedure Call (RPC) service. By sending specially-crafted RPC requests to a vulnerable system, a remote attacker could exploit this vulnerability to execute arbitrary code and gain complete control over the affected system.
For Windows Vista and Windows Server 2008 the attacker must be an authenticated user with access to the target network in order to exploit this vulnerability.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-067. See References.
Microsoft Security Bulletin MS08-067
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
NORTEL BULLETIN ID: 2008009147, Rev 2
Nortel Response to Microsoft Security Bulletin MS08-067
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=783522
Offensive Security Exploit Database [01-21-2011]
Microsoft Server Service Relative Path Stack Corruption
http://www.exploit-db.com/exploits/16362/
ISS X-Force
Microsoft Windows Server Service RPC code execution
http://www.iss.net/security_center/static/46040.php
CVE
CVE-2008-4250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250