Follow:

Vulnerability:Win/SMB.LANMAN.DoS!CAN-2002-0724

Severity rating
Moderate

Class/Type
Vulnerability

Discovered date
2002-08-22T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol. By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system.



Impact

This is a denial of service attack . By sending a specially crafted packet request to a computer, an attacker can crash the system of the target machine. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.



Technical details (analysis)

The vulnerability results because of a flaw in the way Microsoft's implementation of SMB receives a packet requesting the SMB service. There is an unchecked buffer in a section of code that requests the SMB service.



Affected software

Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Windows XP Professional



Non-affected software

All those not on the affected list.



References




Solutions




NIS signature

Name: Vulnerability:Win/SMB.LANMAN.DoS!CAN-2002-0724
Release Date: 2002-08-22T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

An administrator can block access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent this attack from untrusted parties. In a file and printing environment, this may not be a practical solution for legitimate users.
An administrator can stop the Lanman server service which prevents the attack, but again may not be suitable on a file and print sharing server.