Intrusion Prevention

SMB.Malformed.DataOffset.Overflow

Description

This indicates a possible attempt to exploit multiple buffer-overflow vulnerabilities in Sourcefire Intrusion Sensor and Snort. It can also be an attempt to exploit a Microsoft Windows Denial Of Sevice (DoS) vulnerability.
For Microsoft Windows, a remote attacker could cause the computer to stop responding and to restart by sending specially-crafted packets.
For Snort, a remote attacker could execute arbitrary code on the system of a victim with root or SYSTEM privileges by sending specially-crafted packets to the network that is being monitored by the vulnerable application.

Affected Products

Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems*
Windows Server 2008 for x64-based Systems*
Windows Server 2008 for Itanium-based Systems
Snort version 2.6.1
Snort version 2.6.1.1
Snort version 2.6.1.2
Snort version 2.7 beta 1
Sourcefire Intrusion Sensor versions 4.1.x
Sourcefire Intrusion Sensor versions 4.5.x
Sourcefire Intrusion Sensor versions 4.6.x
Sourcefire Intrusion Sensor Software for Crossbeam versions 4.1.x
Sourcefire Intrusion Sensor Software for Crossbeam versions 4.5.x
Sourcefire Intrusion Sensor Software for Crossbeam versions 4.6.x

Impact

Microsoft Windows - Denial of Service: Remote attackers can crash vulnerable systems
Snort - System Compromise: Remote attackers can gain control of vulnerable systems

Recommended Actions

Apply patch, available from the website for Microsoft Windows:
http://www.microsoft.com/technet/security/Bulletin/ms09-001.mspx
For Snort, upgrade to Snort version 2.6.1.3 or 2.7 beta 2:
http://www.snort.org/dl/
Apply SEU 64 for Sourcefire Intrusion Sensor:
https://support.sourcefire.com/