Rule:

--
Sid:
2959

--
Summary:
This event is generated when an attempt is made to exploit a known
vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE)
services.

--
Impact:
Serious. Execution of arbitrary code with system level privileges

--
Detailed Information:
A vulnerability exists in Microsoft NetDDEems:
	Windn in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources.

--
Affected Systems:
Any host using IIS.

--
Attack Scenarios:
An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database.

--
Ease of Attack:
Simple.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.

Ensure that the IIS implementation is fully patched.

Ensure that the underlying operating system is fully patched.

Employ strategies to harden the IIS implementation and operating system.

Check the host for signs of compromise.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:


--
                                                                                                       