Rule: -- Sid: 2190 -- Summary: This event is generated when an attempt is made to exploit a known vulnerability in Microsoft RPC DCOM. -- Impact: Denial of Service (DoS). -- Detailed Information: A vulnerability exists in Microsoft RPC DCOM such that execution of arbitrary code or a Denial of Service condition can be issued against a host by sending malformed data via RPC. The Distributed Component Object Model (DCOM) handles DCOM requests sent by clients to a server using RPC. A malformed request to an RPC port will result in a buffer overflow condition that will present the attacker with the opportunity to execute arbitrary code with the privileges of the local system account. -- Affected Systems: Windows NT 4.0 Windows NT 4.0 Terminal Server Edition Windows 2000 Windows XP Windows Server 2003 -- Attack Scenarios: An attacker may make a request for a file with an overly long filename via a network share. -- Ease of Attack: Simple. Expoit code exists. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Apply the appropriate vendor supplied patches. Block access to RPC ports 135, 139 and 445 for both TCP and UDP protocols from external sources using a packet filtering firewall. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: Microsoft: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 --