CVE-2002-1561
published 2003-04-02CVE-2002-1561: The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed…
PriorityP424medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
42.63%
98.5th percentile
The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00
bytes↗
\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00
bytes↗
\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00
bytes↗
\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00\x50\x10\x01\x00\x00\x00\x02\x00
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103238; rev:4; metadata:created_at 2010_09_23, cve CVE_2002_1561, signature_severity Informational, updated_at 2019_07_26;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103269; rev:5; metadata:created_at 2010_09_23, cve CVE_2002_1561, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
- →Detect malformed RPC bind/request packets sent to TCP port 135 (RPC Endpoint Mapper); the exploit initiates with a DCE/RPC bind packet starting with bytes \x05\x00\x0b\x03 followed by oversized fragmented request packets to trigger the null pointer dereference. ↗
- →Monitor for the flowbit smb.tree.bind.irot being set followed by a DCERPC request on port 135 with content |05| and |00 02| at specific offsets — as matched by Snort SID 2103238.
- →A variant of this vulnerability can be triggered by flooding a patched system with malformed packets (250–400 repeated connections recommended by exploit author for patched Windows 2000/XP), so high-rate repeated TCP connections to port 135 from a single source should be alerted on. ↗
- ·Applying the Microsoft patch (MS03-010) may cause problems in IIS environments where COM+ is used; ASP transactions may be affected. ↗
- ·The Snort rule SID 2103269 targeting port 445 is marked confidence Medium and signature_severity Informational — tune thresholds accordingly to avoid alert fatigue.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt
GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,li
Suricata
GPL NETBIOS DCERPC IrotIsRunning attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS DCERPC IrotIsRunning attempt
GPL NETBIOS DCERPC IrotIsRunning attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103238; rev:4; metadata:created_at 2010_09_23, cve CVE_2002_1561, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL NETBIOS SMB IrotIsRunning unicode attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB IrotIsRunning unicode attempt
GPL NETBIOS SMB IrotIsRunning unicode attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.
Suricata
GPL NETBIOS DCERPC IrotIsRunning little endian attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS DCERPC IrotIsRunning little endian attempt
GPL NETBIOS DCERPC IrotIsRunning little endian attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103239; rev:4; metadata:created_at 2010_09_23, cve CVE_2002_1561, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL NETBIOS SMB IrotIsRunning unicode andx attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB IrotIsRunning unicode andx attempt
GPL NETBIOS SMB IrotIsRunning unicode andx attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,102
Suricata
GPL NETBIOS SMB IrotIsRunning unicode little endian attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB IrotIsRunning unicode little endian attempt
GPL NETBIOS SMB IrotIsRunning unicode little endian attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/
Suricata
GPL NETBIOS SMB-DS IrotIsRunning attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB-DS IrotIsRunning attempt
GPL NETBIOS SMB-DS IrotIsRunning attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-
Suricata
GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt
GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/te
Suricata
GPL NETBIOS SMB IrotIsRunning little endian andx attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB IrotIsRunning little endian andx attempt
GPL NETBIOS SMB IrotIsRunning little endian andx attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little;
Suricata
GPL NETBIOS SMB IrotIsRunning andx attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB IrotIsRunning andx attempt
GPL NETBIOS SMB IrotIsRunning andx attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; ref
Suricata
GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt
GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relativ
Suricata
GPL NETBIOS SMB IrotIsRunning attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB IrotIsRunning attempt
GPL NETBIOS SMB IrotIsRunning attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode
Suricata
GPL NETBIOS SMB-DS IrotIsRunning little endian attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB-DS IrotIsRunning little endian attempt
GPL NETBIOS SMB-DS IrotIsRunning little endian attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx;
Suricata
GPL NETBIOS SMB IrotIsRunning little endian attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB IrotIsRunning little endian attempt
GPL NETBIOS SMB IrotIsRunning little endian attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classt
Suricata
GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt
GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4
Suricata
GPL NETBIOS SMB-DS IrotIsRunning unicode attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB-DS IrotIsRunning unicode attempt
GPL NETBIOS SMB-DS IrotIsRunning unicode attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS0
Suricata
GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt
GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,litt
Suricata
GPL NETBIOS SMB-DS IrotIsRunning andx attempt
suricata·2010-09-23
CVE-2002-1561 GPL NETBIOS SMB-DS IrotIsRunning andx attempt
GPL NETBIOS SMB-DS IrotIsRunning andx attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,600
Exploit-DB
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (1)
exploitdb·2002-10-22
CVE-2002-1561 Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (1)
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (1)
---
// source: https://www.securityfocus.com/bid/6005/info
The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.
This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.
It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.
A variant of this issue has been reported which allegedly affects patched systems. It is apparently po
Exploit-DB
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (2)
exploitdb·2002-10-22
CVE-2002-1561 Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (2)
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (2)
---
// source: https://www.securityfocus.com/bid/6005/info
The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.
This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.
It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.
A variant of this issue has been reported which allegedly affects patched systems. It is apparently po
Exploit-DB
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (3)
exploitdb·2002-10-18
CVE-2002-1561 Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (3)
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (3)
---
source: https://www.securityfocus.com/bid/6005/info
The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.
This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.
It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.
A variant of this issue has been reported which allegedly affects patched systems. It is apparently possi
Exploit-DB
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (4)
exploitdb·2002-10-18
CVE-2002-1561 Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (4)
Microsoft Windows XP/2000/NT 4.0 - RPC Service Denial of Service (4)
---
source: https://www.securityfocus.com/bid/6005/info
The Microsoft Windows RPC service contains a flaw that may allow a remote attacker to cause a denial of service. By sending a specifically malformed packet to TCP port 135, the RPC service will be disabled.
This vulnerability was originally reported to only affect Windows 2000. Microsoft has confirmed that Windows NT 4.0 and XP are also vulnerable.
It has been reported that installation of the provided patch will cause some problems in IIS environments. Specifically, users who are using COM+ in IIS environments may experience problems with ASP transactions.
A variant of this issue has been reported which allegedly affects patched systems. It is apparently possi
No writeups or analysis indexed.
http://www.kb.cert.org/vuls/id/261537http://www.securityfocus.com/archive/1/296114/2002-10-14/2002-10-20/0http://www.securityfocus.com/bid/6005https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-010https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A59http://www.kb.cert.org/vuls/id/261537http://www.securityfocus.com/archive/1/296114/2002-10-14/2002-10-20/0http://www.securityfocus.com/bid/6005https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-010https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A59
2003-04-02
Published