This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects an attempt to exploit a vulnerability in the PCT (Private Communications Transport) protocol.
Various Microsoft Windows operating systems are prone to a remotely exploitable buffer overrun via the PCT (Private Communications Transport) protocol. PCT is included as part of the SSL library and was developed as an alternative to SSL 2.0, though it has been largely superseded by SSL 3.0.
The source of the vulnerability is insufficient bounds checking of parameters in TCP packets that are received by an SSL-enabled service such as IIS, Exchange Server or Analysis Services 2000. When the malformed parameters are handled by the underlying operating system library, a stack-based buffer overrun may occur. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise.
The vulnerability may also reportedly be exploitable by a local user who passes malicious parameters to the vulnerable component interactively or through another application.
This issue is reported to only affect systems that have SSL enabled but could also affect Windows 2000 Domain Controllers under some circumstances. For Windows Server 2003, PCT must be manually enabled in addition to enabling SSL support to be affected. Reportedly, both PCT 1.0 and SSL 2.0 must be enabled for successful exploitation.
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers
Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
Microsoft Windows NT Enterprise Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
Microsoft Windows NT Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6
Microsoft Windows NT Workstation 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP Home SP1
Avaya has released an advisory to announce that Avaya System Products shipping on Microsoft platforms are also affected by this vulnerability. Avaya advise that customers follow the Microsoft recommendations for the resolution of this issue. The aforementioned advisory can be viewed at the following location: Avaya Support ASA-2004-005
Microsoft has released fixes to address this issue.
US-CERT has released an advisory TA04-104A to address this and other issues. Please see the referenced advisory for more information.