Rule:

--
Sid:
5618

--
Summary:
This rule generates an event when an attempt is made to access a registry key on a remote machine without adequate authentication.

--
Impact:
Execution of arbitrary code leading to full administrator access of the machine. Denial of Service (DoS).

--
Detailed Information:
A vulnerability in the way that Microsoft systems process authentication information may lead to a remote attacker being able to bypass restrictions and manipulate registry settings.

The remote registry server does not properly handle malformed requests, if the service fails a remote attacker may be able to take control of an affected machines via the manipulation of the machine registry.

--
Affected Systems:
Windows NT 4.0
Windows NT 4.0 Terminal Server Edition

--
Attack Scenarios:
An attacker would need to supply a malformed request to the remote registry service to cause the failure to authenticate. The attacker could then manipulate the registry.

--
Ease of Attack:
Simple. Expoit code exists.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Apply the appropriate vendor supplied patches.

Block access to RPC ports 135, 139 and 445 for both TCP and UDP protocols from external sources using a packet filtering firewall.

--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Matt Watchinski <matthew.watchinski@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--
