ProCurve Switches ProCurve 5400zl Threat Management Services zl Module Installation and Getting Started Guide IPS/IDS Signature Reference Guide Version RLX.10.2.2.
© Copyright 2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. Publication Date May 2009 HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1 BEA WebLogic URL JSP Request Source Code Disclosure Vulnerability Threat Level: Warning Bugtraq: 2527 Nessus: 10715,10949 Signature Description: BEA Systems WebLogic Server is an enterprise level web and wireless application server. Apache Tomcat is a Servlet container developed by the Apache Software Foundation (ASF). BEA Systems Weblogic Server 5.1, Apache Software Foundation Tomcat 4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 7 Alibaba get32.exe Arbitrary Command Execution Vulnerability Threat Level: Severe Industry ID: CVE-1999-0885 Bugtraq: 770 Nessus: 10011 Signature Description: A computer program that is responsible for accepting HTTP requests from web clients and serving them HTTP responses along with optional data contents, which usually are web pages such as HTML documents and linked objects (images, etc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 13 Httpd input2.bat arbitrary command execution Vulnerability Threat Level: Warning Industry ID: CVE-1999-0947 Bugtraq: 762 Nessus: 10016 Signature Description: A computer program that is responsible for accepting HTTP requests from web clients and serving them HTTP responses along with optional data contents, which usually are web pages such as HTML documents and linked objects (images, etc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 server on the World Wide Web. Apache::ASP module provides support for Active Server Pages on the Apache Web Server with Perl scripting, and enables developing of dynamic web applications with session management and embedded Perl code. Apache::ASP module 1.93 and earlier come with source.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 database server. Basilix Webmail System version 0.9.7beta is vulnerable to Information Disclosure. If the Web server is not configured to recognize files with .class or .inc extensions as PHP scripts at the httpd.conf file, a remote attacker can send an HTTP request to view these files, which may contain sensitive data, such as the MySQL password and username information. As a workaround, define the .class and .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 27 Calendar admin cgi vulnerability attempt Threat Level: Severe Industry ID: CVE-2000-0432 Bugtraq: 1215 Nessus: 10506 Signature Description: Matt Kruse's Calendar script is a popular, free perl cgi-script used by many websites on the Internet. It allows a website administrator to easily setup and customize a calendar on their website. There are two components of this package, calendar-admin.pl and calendar.pl.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 (later purchased by Sun Microsystems) featuring a modified Red Hat Linux operating system and a proprietary GUI for server management. Cobalt RaQ 2 and RaQ 3 servers come with a program called "cgiwrap", which acts as a wrapper for cgi programs, so that they run with the uid of their user instead of 'nobody'. cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 42 Access to Vulnerable Dbman CGI Threat Level: Warning Industry ID: CVE-2000-0381 Bugtraq: 1178 Signature Description: DBMan is a full-featured Database Manager that provides a web interface to add, remove, modify or view records in a flatfile ascii database. It is possible to cause the DBMan 2.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 successful exploitation of this vulnerability allows an attacker to access sensitive information on the vulnerable system. This signature specifically detects "nsf" pattern in the traffic sent to the http server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 with the privileges of the http daemon (root or nobody). It allows remote command execution via shell metacharacters due to insufficient input validation in architext_query.pl script. Signature ID: 70 Faxsurvey cgi vulnerability Threat Level: Warning Industry ID: CVE-1999-0262 Bugtraq: 2056 Nessus: 10067 Signature Description: Hylafax is a popular fax server software package designed to run on multiple UNIX operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 site files on the server. Frontpage Extensions extensions in Microsoft InterDev 1.0 and Microsoft FrontPage 98 Server Extensions for IIS allows a remote attacker to read files on the server by using a nonstandard URL. To be specific, Two dlls (dvwssr.dll and mtd2lv.dll) include an obfuscation string that manipulates the name of requested files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Matt Wright GuestBook 2.3 allows for remote command execution, including displaying of any files to which the web server has read access. Philip Chinery's Guestbook 1.1 does not filter script code from form fields. As a result, it is possible for an attacker to inject script code into pages that are generated by the guestbook.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 88 Htmlscript cgi access vulnerability Threat Level: Severe Industry ID: CVE-1999-0264 Bugtraq: 2001 Nessus: 10106 Signature Description: Miva's htmlscript CGI program provides a unique scripting language with HTML type tags. Versions of the htmlscript interpreter (a CGI script) prior to 2.9932 are vulnerable to a file reading directory traversal attack using relative paths (eg., "../../../../../../etc/passwd").
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the vulnerability, which results because the ISAPI extension contains an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 101 Microsoft IIS/PWS UNICODE Characters Decoding Command Execution Vulnerability Threat Level: Warning Industry ID: CVE-2001-0333 Bugtraq: 2708 Nessus: 10671 Signature Description: MS IIS 4.0 and 5.0 has a vulnerability in filename processing of CGI program, When IIS receives a CGI filename request, it automatically performs two actions before completing the request.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 '/iissamples/issamples/' directory), search.idq, query.idq (all in '/iissamples/exair/search/' directory), codebrws.asp (in '/iissamples/exair/howitworks/' directory),qsumrhit.htw and qfullhit.htw(both in '/iissamples/issamples/oop/' directory).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 applications which allow code injection by malicious web users into the web pages viewed by other users. Horde IMP is a powerful web-based mail interface/client developed by members of the Horde project. It is written in PHP and provides webmail access to IMAP and POP3 accounts. All releases of Horde IMP Webmail prior to version 2.2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 117 Allaire JRun 2.3.x Sample Files Vulnerability Threat Level: Warning Industry ID: CVE-2000-0539 CVE-2000-0540 Bugtraq: 1386 Nessus: 10444,10996 Signature Description: JRun is a Java application server, originally developed as a Java Servlet engine by Live Software and subsequently purchased by Allaire. A number of vulnerabilities in Allaire JRun 2.3.x allow remote attackers to obtain sensitive information, e.g.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Web site. The access settings for this URL can be either 'allow all' or 'allow no one'. An attacker can gain valuable information if the access is given to this URL. Hence access to this information must be restricted.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Option Pack is a set of Web and application services that enables developers to create the next generation of distributed network applications for Windows NT Server. Microsoft IIS is a popular web server package for Windows based platforms. MDAC (Microsoft Data Access Components) is a package used to integrate web and database services. It includes a component named RDS (Remote Data Services).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 supported by the inbuilt Tektronix PhaserLink webserver. No authentication mechanism exists to validate such connections. Arbitrary pages inside the printer's administration interface may be requested on the PhaserLink webserver. Hence,by using methods like the printer's 'Emergency Power Off' or IP configuration changes, an attacker can cause a denial of service attacks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 directory. This allows an attacker to gain valuable information about the directory structure of the remote host and could reveal the presence of files which are not intended to be visible. Netscape FastTrack Server 3.0.1 is vulnerable.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 For instance, the request : http://example/cgi-bin/GW5/GWWEB.exe?HELP=some_bad_request will reveal path information, and http://example/cgi-bin/GW5/GWWEB.exe?HELP=../../../../../../index will list .htm and .html files. Signature ID: 145 Access to vulnerable CGI nph-publish.cgi Threat Level: Severe Industry ID: CVE-1999-1177 CVE-2001-0400 Bugtraq: 2563 Nessus: 10164 Signature Description: The nph-publish.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 150 MacOS X Finder reveals contents of Apache Web files vulnerability Threat Level: Warning Industry ID: CVE-2001-1446 CVE-2001-1446 Bugtraq: 3325 Nessus: 10773 Signature Description: Mac OS X is a line of computer operating systems developed, marketed, and sold by Apple Inc,which come pre-loaded on Macintosh computers. Find-By-Content in Mac OS X 10.0 through 10.0.4 creates index files named '.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 program allows remote attackers to read arbitrary files via a .. (dot dot) charecter sequence and to execute arbitrary commands via shell meta characters in the documentName parameter. Signature ID: 155 PCCS-Mysql User/Password Exposure vulnerability Threat Level: Warning Industry ID: CVE-2000-0707 Bugtraq: 1557 Nessus: 10783 Signature Description: PCCS-Mysql Database Admin Tool is a web-based front end to MySQL written in PHP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 known as the 'CGI bin directory'. Early documentation for Netscape and other servers recommended placing the interpreters in the CGI bin directory to ensure that they were available to run the script. Signature ID: 160 WEB-CGI pfdispaly.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 164 PHP-Nuke Remote File (Copy/Delete) Vulnerability Threat Level: Severe Industry ID: CVE-2001-1032 Bugtraq: 3361 Nessus: 10772 Signature Description: PHP Nuke is a website creation/maintenance tool written in PHP3. PHP-Nuke versions 5.2 and earlier suffer from a vulnerability. The vulnerability is caused by inadequate processing of queries by PHP-Nuke's admin.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 169 Pi3Web tstisap.dll overflow vulnerability Threat Level: Warning Industry ID: CVE-2001-0302 CVE-2001-0303 Bugtraq: 2381 Nessus: 10618 Signature Description: John Roy Pi3Web web server is a free, multithreaded, highly configurable and extensible HTTP server and development environment for cross platform internet server development and deployment. The ISAPI application, tstisapi.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The /cgi-bin/printenv.pl program is a small perl routine which, when invoked, returns the CGI Environment Variables set on the server upon which it was invoked. This code can be used to retrieve all of the CGI Environment Variables and print them out (while testing the code) and must not be available on server except at development of the website .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 support threads this will prevent the server from serving other clients. Thus, an attacker can launch a denial of service attack. Signature ID: 179 Caldera OpenLinux 2.3 rpm_query CGI Vulnerability Threat Level: Warning Industry ID: CVE-2000-0192 Bugtraq: 1036 Nessus: 10340 Signature Description: Linux is a Unix-like computer operating system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 arbitrary directories by specifying the directory or invalid values in the 'query' parameter. This allows an attacker to gain valuable information about the directory structure of the remote host and could reveal the presence of files which are not intended to be visible. Such information can be used by the attacker in subsequent attacks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 'sendtemp.pl' is vulnerable to a directory traversal and file retrieval vulnerability. Using this script, an attacker can view contents of directories outside of the configured template directory with the privileges of the apache web server process.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 193 Shells in /cgi-bin vulnerability Threat Level: Severe Industry ID: CVE-1999-0509 Nessus: 10252 Signature Description: A shell interpreter is a software for interacting with the computer operating system using commands to perform specific tasks. The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a web server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerable CGI program is 'siteUserMod.cgi'. The attacker can then access or modify information pertaining to any account on the system and remove all logs that record the modifications made by him. Signature ID: 198 SIX Webboard's generate.cgi vulnerability Threat Level: Severe Industry ID: CVE-2001-1115 Bugtraq: 3175 Nessus: 10725 Signature Description: SIX-webboard is a Web bulletin board application developed by Sixhead.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Thinking Arts is a Devon (UK) based web design company specializing in art related ecommerce websites. Thinking Arts 'ES.One' package is one such solution. Directory traversal vulnerability in 'store.cgi' in 'Thinking Arts ES.One' 1.0 package allows remote attackers to read arbitrary files via a .. (dot dot) character sequence in the StartID parameter.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 208 Tomcat's /admin is world readable vulnerability Threat Level: Warning Industry ID: CVE-2000-0672 Bugtraq: 1548 Nessus: 10477 Signature Description: Apache Software Foundation Tomcat is a Servlet container. Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, providing a "pure Java" HTTP web server environment for the Java applications.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Tarantella Enterprise 3 is a tool for centralized web interface based management of data and applications for Unix and Linux based distributions. The 'ttawebtop.cgi' is a CGI script included with the Tarantella Enterprise 3 3.0 to 3.20.0. It does not sufficiently validate input. As a result, using a '..
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 217 OmniHTTPd visadmin exploit vulnerability Threat Level: Warning Industry ID: CVE-1999-0970 Bugtraq: 1808 Nessus: 10295 Signature Description: A computer program that is responsible for accepting HTTP requests from clients and serving them HTTP responses along with optional data contents is known as a webserver.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 221 WebActive world readable log file vulnerability Threat Level: Warning Industry ID: CVE-2000-0642 Bugtraq: 1497 Nessus: 10470 Signature Description: A computer program that is responsible for accepting HTTP requests from clients and serving them HTTP responses along with optional data contents is known as a webserver. WEBactive is an HTTP server by ITAfrica. The default configuration of WebActive HTTP Server 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 226 Misconfigured Webcart information disclosure vulnerability Threat Level: Warning Industry ID: CVE-1999-0610 Bugtraq: 2281 Nessus: 10298 Signature Description: WebCart is a web commerce product provided by Mountain Network Systems, Inc. Default installations of Mountain Network Systems Inc. WebCart 1.0 are vulnerable to information disclosure due to misconfiguration of access policies.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 interface to the "gais" (Global Area Intelligent Search) search engine tool developed by WebGAIS Development Team. Due to improper input checking in WebGAIS 1.0 to 1.0 B2 (inclusive), '/cgi-bin/webgais' script allows a remote attacker to execute commands at the privilege level of the web server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 238 Whois_raw.cgi arbitrary command execution vulnerability Threat Level: Warning Industry ID: CVE-1999-1063 Bugtraq: 304 Nessus: 10306 Signature Description: The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a web server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 specified in the call to YaBB.pl in the variable num. Before retrieving the file, YaBB will append a .txt extension to the value given to num field. Due to input validation problem in YaBB Bulletin Board 9.1.2000, remote attackers can read arbitrary files via a '..' (dot dot) character sequence as value of num variable. The '.txt' extension can be avoided by appending %00 to .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 252 Oracle 9iAS mod_plsql cross site scripting vulnerability Threat Level: Warning Industry ID: CVE-2002-1636 Nessus: 10853 Signature Description: The Oracle Application Server is a platform for developing, deploying, and integrating enterprise applications. This software is produced and marketed by Oracle Corporation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 258 Oracle 9iAS Dynamic Monitoring Services vulnerability Threat Level: Warning Industry ID: CVE-2002-0563 Bugtraq: 4293 Nessus: 10848 Signature Description: The Oracle Application Server is a platform for developing, deploying, and integrating enterprise applications. This software is produced and marketed by Oracle Corporation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 262 MS Site Server Information disclosure vulnerability Threat Level: Warning Industry ID: CVE-2002-1769 Bugtraq: 3998 Nessus: 11018 Signature Description: Microsoft Site Server is designed to run on Microsoft Windows NT Server platforms. It provides a means for users on a corporate intranet to share, publish, and find information.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 266 Attempt to check if IIS server has the .HTR ISAPI filter mapped Threat Level: Warning Industry ID: CVE-2002-0071 CVE-2000-1230 Bugtraq: 4474,2274 Nessus: 10932,10943 Signature Description: Microsoft Internet Information Server (IIS) is a popular web server package for Windows based platforms. Buffer overflow in the ‘ism.dll’ ISAPI extension that implements HTR scripting in IIS 4.0 and 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 273 GroupWise Web Interface 'HELP' path disclosure vulnerability Threat Level: Warning Industry ID: CVE-1999-1005 Bugtraq: 879 Nessus: 10877 Signature Description: GroupWise is a cross-platform collaborative software product from Novell, Inc. offering e-mail, calendaring, instant messaging and document management. GroupWise includes a web access component for use through a web browser. Novell Groupwise 5.2 to 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 279 CVS Entries access misconfiguration vulnerability Threat Level: Warning Nessus: 10922 Signature Description: Access to 'CVS/Entries' path is detected by this signature. Access to this path exposes all file names in CVS module on the web server. This may give sensitive information to a malicious user. He can use this information to make more focused attacks to gain access to these files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 284 AlienForm CGI script vulnerability Threat Level: Warning Industry ID: CVE-2002-0934 Bugtraq: 4983 Nessus: 11027 Signature Description: The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a web server. AlienForm2 is an interface to the email gateway written in Perl and is maintained by Jon Hedley.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 295 Finger web gateway access vulnerability Threat Level: Warning Signature Description: The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a web server. The Finger command shows user information.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 information about the computer including the type and speed of the processor, memory details, and other details of installed hardware. An attacker can use this information to make more focused attacks. Signature ID: 301 WinGate Logfile Server Vulnerability Threat Level: Information Signature Description: WinGate Proxy Server provides a Log File Server on port 8010 to remotely view logfiles.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 characters in the recipient email address. This is possible as open() call is used without filtering user input. An attacker can use shell meta characters such as '|' to execute arbitrary code.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The "codebrws.asp" sample shipped with IIS 4.0 and SiteServer 3.x can be remotely exploited to read arbitrary files on vulnerable servers. This file is one of several sample files distributed with these servers that allows remote file viewing.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 is possible for a remote user to manipulate the contents of '$DOCUMENT_URI' environment variable so that they will be executed with the UID of the httpd process when parsed by the interpreter. A malicious user can hence execute arbitrary commands on the web server. Signature ID: 330 ColdFusion fileexists.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 335 BNB survey.cgi CGI arbitrary command execution Vulnerability Threat Level: Warning Industry ID: CVE-1999-0936 Bugtraq: 1817 Signature Description: The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a web server. Big Nose Bird Survey.cgi is a free and simple 'Web Survey' program.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 on the system with the privileges of the user owning the server process. An attacker can use this information to make more focused attacks. Signature ID: 342 Wwwboard.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 by a colon (":) and the field value. It is possible to do a buffer overflow attack in the remote http server when some of the header field is given a very long argument (line) in request. An attacker may use it to execute arbitrary code on the host. This rule is triggered when some header line size in request exceed configured value.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 expected. No other character is expected between \r and \n. This signature detects traffic that has a character, other than \n, after \r, in the URI. Such traffic is generated to evade the IDS/IPS. Signature ID: 351 Multiple requests in same packet vulnerability Threat Level: Information Signature Description: This is an anti IIPS evasion technique. HTTP 1.1 server supports persistent connection.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 355 HTTP Mis-Formatted URI with Many White Space as Separator Threat Level: Information Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1 defined in RFC 2616. HTTP header fields, which include general-header, request-header, response-header, and entityheader fields, follow the same generic format as that given in RFC 822.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 360 HTTP Absolute URI Present vulnerability Threat Level: Information Industry ID: CVE-2001-0647 Bugtraq: 2432 Nessus: 10636 Signature Description: According to RFC 2396, A Uniform Resource Identifier (URI) is a compact string of characters for identifying an abstract or physical resource by denoting them in either absolute or relative form.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 364 URI Self-Reference Directory vulnerability Threat Level: Information Nessus: 11007 Signature Description: This is an anti IIPS evasion technique. A newer trick in the 'directory games' category is the self-referencing directory. While '..' means the parent directory, '.' means the current directory. So "c:\temp\.\.\.\.\.\" is equivalent to "c:\temp\".
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 characters. Such complexity has led to some IDS evasion techniques also. Therefore it is of paramount importance to decode UTF-16 characters correctly. The rule triggers if it finds encoding, which is not strictly following, standard. Such HTTP requests may be indicative of some malicious activities.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 FastCGI is vulnerable to a cross site scripting. This rule generates an event when an attacker sent fcgi-bin/echo.exe pattern to the http server. Signature ID: 375 FastCGI Echo2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: PHP is a widely used general purpose scripting language that is especially suited for Web development and can be embedded into html. PHP(4.1.0, 4.1.1, 4.0.6) and earlier versions are vulnerable to a heap based buffer overflow. This vulnerability is due to insufficient sanitization of user supplied data.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Microsoft IIS(Internet Information Server) is a group of Internet servers including Hypertext Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This signature detects an attempt made to exploit potential weaknesses in a host running Microsoft IIS.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 391 IIS Sample File ncx.exe vulnerability Threat Level: Warning Nessus: 11003 Signature Description: Microsoft IIS(Internet Information Server) is a group of Internet servers including Hypertext Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This signature detects an attempt made to exploit potential weaknesses in a host running Microsoft IIS.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 396 IIS Sample File ftp.exe vulnerability Threat Level: Warning Nessus: 11003 Signature Description: Microsoft IIS(Internet Information Server) is a group of Internet servers including Hypertext Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This signature detects an attempt made to exploit potential weaknesses in a host running Microsoft IIS.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerability allows an attacker to access sensitive information on the vulnerable system. This signature specifically detects "pwdump3.exe" pattern in the traffic sent to the http server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 404 Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2002-0071 Bugtraq: 4474 Nessus: 10932,10943 Signature Description: HTR is a server-side scripting technology for IIS which has largely been supplanted by ASP. Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 switch crashes and performs a software to re-load and network connectivity is disrupted. By repeatly sending such HTTP requests, a denial of service attack can be performed against the switch and the entire network connected to it.Cisco Internetwork Operating System Software IOS (tm), C2900XL Software (C2900XL-H2S-M), Version 12.0(5.1)XP is vulnerable platform.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 418 Microsoft FrontPage/IIS shtml.dll Denial Of Service Vulnerability Threat Level: Warning Industry ID: CVE-2000-0709 Bugtraq: 1608 Nessus: 10497 Signature Description: Microsoft FrontPage Server Extensions let users manage their web site remotely. FrontPage 2000 Server Extensions is vulnerable to a remote denial of service attack. By requesting a URL using the shtml.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 service attack. It suffers from a buffer overflow error in the SSL handshaking code that causes it to crash when the buffer is overrun.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 very insecure style. The attacker can execute arbitrary code on the delegate server through the delegate port(s), or malicious servers which a user accesses using the delegate proxy. This code will run as the user ID of the 'delegated' process, the unchecked buffers that could be exploited to remotely compromise the server. E.g. whois://a b 1 AAAA..AAAAA.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: OpenLink is an open source and commercial middleware software. Both the Unix and WindowsNT versions of OpenLink 3.2 are vulnerable to a remotely exploitable buffer overflow attack. The problem is in their web configuration utility, and is the result of an unchecked strcpy() call.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: DCShop is a CGI-based ecommerce system from DCScripts. DCShop beta version 1.002 found does not properly protect user and credit card information. This rule triggers if request is made to access auth_user_file.txt present in dcshop/auth_data directory which contains administrator name and password in plain text format.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Public folders are a part of the Microsoft Exchange information store that anyone can access. The public folders are usually set up so that everyone has read access, but only one or two people have the authority to add, remove, or change folder content. Microsoft Exchange Public Folders can be set to allow anonymous connections(set by default).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 557 WhatsUp Gold Default Admin Account vulnerability Threat Level: Warning Industry ID: CVE-1999-0508 CVE-1999-0508 Nessus: 11004,10747 Signature Description: WhatsUp Gold is an easy-to-use tool for monitoring TCP/IP, NetBIOS, and IPX networks. whatsUp Gold initiates both visible and audible alarms when monitored devices and system services go down.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 562 Red Hat Linux Apache Remote Username Enumeration Vulnerability Threat Level: Critical Industry ID: CVE-2001-1013 Bugtraq: 3335 Nessus: 10766 Signature Description: Apache is an open source Web server that is distributed free. It runs on Unix, Linux, Solairs and Windows operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 representation of the front panel on the switch. It can allow users to interactively configure the switch, monitor its status, and view statistical information. An attacker can use this vulnerability to gain information.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 allow a user to gain access to various files and reveal sensitive data. Upgrade the latest version of WebLogic, available at vendor's website. Signature ID: 575 BEA Systems WebLogic Server Directory Traversal %2f Vulnerability Threat Level: Warning Bugtraq: 2513 Nessus: 10698 Signature Description: BEA System WebLogic Server is an enterprise level web and wireless application server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 579 Arbitrary file read attempt from NTMail web interfaceFileRead Threat Level: Information Industry ID: CVE-1999-0927 Bugtraq: 0279 Signature Description: Gordano's NTMail is a Windows NT mail server program. One of its features is allowing administrators to configure the server and users to read their email with a web browser via a built-in web server. Gordano NTMail 4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 server will no longer answer requests to port 80 resulting in a denial of service. This signature detects access to first connected parallel port.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Systems like MSDOS, Windows 95, 98. DOS device names (DDNs) are reserved names for common input and output devices. For example, AUX (First connected serial port), LPT1 (Parallel port) etc., These DOS-devices can be accessed through web server and if this is done, a process will be opened to handle the execution of particular device driver.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerable system. This issue is fixed in POC32 2.0 7 version. Administrators are advised to update POC32 2.0 7version or later version to resolve this issue. Signature ID: 594 VisualRoute Web Server Detection Threat Level: Information Nessus: 10744 Signature Description: VisualRoute is a web based solution. VisualRoute Server provides a graphical traceroute and ping test from this server to any other network device.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 default, the chipcfg.cgi script is installed. A remote attacker can send a specially-crafted URL request containing the chipcfg.cgi script to the server to gain access to sensitive network information. No remedy available as of July, 2008.
Signature ID: 603 WEB-CGI album.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 608 Cobalt RaQ4 Administrative Interface Command Execution Vulnerability Threat Level: Information Industry ID: CVE-2002-1361 Bugtraq: 6326 Nessus: 11190 Signature Description: The Cobalt RaQ 4 is a server appliance that provide a dedicated Web-hosting platform and offers new capabilities for high-traffic, complex Web sites and e-commerce applications.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 ISAPI extension for receiving HTTP documents. The issue triggered when the HTTP Receiver has been enable, a remote attacker could send a biztalkhttpreceive.dll via long string(more than 250 characters) to the HTTP Receiver, an attacker can use this vulnerability to overflow a buffer and execute arbitrary code on the server or crash the IIS server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 617 Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2003-0349 CVE-2003-0227 Bugtraq: 8035 Nessus: 11664,11664 Signature Description: Microsoft Windows Media Services, a feature of the Microsoft Windows 2000 server, is designed to deliver media content to clients across a network via multicast media streaming.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 send a specially-crafted HTTP GET request containing the name of the cookie(such as philboard_admin=True and admin=True), an attacker can use this vulnerability to gain administrative access to the forum, including the backend database. No remedy available as September, 2008. Signature ID: 625 WEB-MISC philboard_admin.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 630 Alibaba CGI post32.exe arbitrary command execution Vulnerability Threat Level: Information Bugtraq: 1485 Signature Description: Alibaba is a web server that runs on Windows platforms. This rule triggered when an attacker can send specially-crafted URL request to the post32.exe with the piped commands. The successful exploitation allow an attacker to execute arbitrary commands on the web server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 specially-crafted URL request for any non-default Lotus file types(like Crystal Server pages(".csp")) appended with a "dot" character. This could allow the attacker to view source code and disclose sensitive information, such as database credentials, embedded in server side scripts or include files. No remedy available as of September, 2008. Signature ID: 637 WEB-MISC iPlanet .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 component in the WebSphere Edge Server. WebSphere refers to a brand of IBM software products. It is designed to set up, operate, and integrate e-business applications across multiple computing platforms using java-based Web technologies. IBM Web Traffic Express(IBM WebSphere Caching Proxy Server versions 3.6 and 4.0) is a denial of service vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 649 TtCMS Header.PHP Remote File Include Vulnerability Threat Level: Information Industry ID: CVE-2003-0320 Bugtraq: 7625 Signature Description: TtCMS is a PHP-based content management system that fully supports MySQL. ttCMS(ttCMS version 2.3 and prior) could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the header.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 encrypts passwords using crypt and stores them in the 'db_ures\admin_pass.php' file. Specifically, TextPortal uses '12345' as the default password for the 'god2' user account. If the Administrator fails to change the default password of the "god2" account, a remote attacker could send a specially-crafted URL to the admin.php script to gain unauthorized access to TextPortal. No remedy available as of September, 2008.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 662 Mambo uploadimage.php access vulnerability Threat Level: Information Bugtraq: 6572 Nessus: 16315 Signature Description: Mambo is a Content Management System(CMS). It is the engine behind your website that simplifies the creation, management, and sharing of content. Mambo Site server(Mambo Site Server version 4.0.12b and prior) could allow a remote attacker to upload malicious PHP files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 673 A possible attempt to crash IE 6 using code Threat Level: Information Signature Description: The rule tries to detect a possible attempt to crash IE 6. The rule is triggered when a user is accessing a web site, which has already been compromised by some attacker and the resulting page contains html contents (pages) like - .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 706 Weblogic FileServlet Show Code Vulnerability Threat Level: Information Industry ID: CVE-2000-0682 Bugtraq: 1518 Nessus: 11724 Signature Description: BEA System WebLogic Server is an enterprise level web and wireless application server. It provides easily surfaced diagnostics information, a GUI administration console, and command-line scripting. BEA Weblogic Server version 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the request). The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code. Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 717 CGIScript.net csNews Header File Type Restriction Bypass Vulnerability Threat Level: Information Industry ID: CVE-2002-0923 Bugtraq: 4994 Nessus: 11726 Signature Description: CsNews is a script for managing news items on a website. It is used on most Unix, Linux and Microsoft Windows operating systems. This rule will triggers when an attacker could sending a specially-crafted URL request to the csNews.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 commands on this host. In addition to this, there is a flaw in this CGI which may allow an attacker to use this CGI to scan remote web servers. This CGI is also vulnerable to cross-site scripting issues. Signature ID: 722 AT-admin.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the csMailto.cgi script developed by CGIScript.net. csMailto is a perl script designed to support multiple mailto:forms and also send and receive files. The script stored all the form configuration data in hidden fields in the actual form. An attacker can use this vulnerability to execute arbitrary commands via shell metacharacters in the form-attachment field. No remedy available as of September, 2008.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: DCForum is a complete web conferencing software for building and managing an online discussion community. DCForum, version 6.0, is a denial of service vulnerability. CDForum could allow a remote attacker to view arbitrary files on the server with the privileges of the 'nobody' user or web server. If the attacker attempts to view the source code of the dcforum.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 736 NetWin WebNEWS Remote Buffer Overflow Vulnerability Threat Level: Information Industry ID: CVE-2002-0290 Bugtraq: 4124 Nessus: 11732 Signature Description: WebNEWS is a server side application which provides users with web based access to internet News Groups. It is a compatible with any standard NNTP News server system. WebNEWS version 1.1k and prior is a buffer overflow vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 website, the script code will be executed in the user's browser session. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. No remedy available as of September, 2008. Signature ID: 745 Webadmin.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 commerce on the World Wide Web. IBM Net.Commerce, version 3.1.2, could allow an attacker to gain access to sensitive information. This issue triggered when an attacker could send a specially-crafted HTTP request to the orderdspc.d2w macro to gain access to sensitive information in the Net.Commerce database. An attacker can use this vulnerability to gain access to administrative accounts and user password files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 754 HTTP Client [shellscript_js.php Clientside] Vulnerability Threat Level: Information Signature Description: HTTP (HyperText Transfer Protocol) is a stateless and object-oriented protocol standard for distributed hypermedia systems, around which the World Wide Web is based. There is a vulnerability in Internet Explorer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 would check for various running system services to exploit or for the presence of security software, such as host IDS or monitoring scripts. The attacker could possibly gain information needed for other attacks on the system. This rule will triggers when an attempt is made to send an /bin/ps pattern to http web server. Signature ID: 904 /etc/inetd.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 project's C and C++ compiler used to compile C and C++ source files into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing. Logs will be generated for this signature when /usr/bin/g++ pattern is sent to the http server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 software development. It offers strong support for integration with other languages and tools, comes with extensive standard libraries. This is an attempt to execute a arbitrary python script outside its designated web root or cgi-bin, by issuing bin/python command to the web server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 921 Chsh command web execute vulnerability Threat Level: Severe Signature Description: This is an attempt to change a users shell on a machine. Using "chsh" command an attacker may change the shell of a user to suit his own needs.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 928 Kill command web execute vulnerability Threat Level: Severe Signature Description: This is an attempt to either stop or restart system processes on a web server. By stopping a service the attacker can effectively issue a "Denial of Service" to a particular process on a machine.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 application that reads tcl commands and evaluates them. The attacker could possibly execute a command or script on the host. Logs will be generated for this signature when tclsh pattern is sent to the http server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1000 Mozilla JavaScript URL Arbitrary Cookie Access Vulnerability Threat Level: Warning Bugtraq: 5293 Signature Description: Mozilla is an open source web browser available for a number of platforms, including Microsoft Windows and Linux. Mozilla browser 0.9.2 is vulnerable to a cookie access vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 S/MIME, HTML etc. This rule triggered when an attacker could request the .eml file. The EML file can contain encoded attachments(such as grapics, files, etc.) and all recovered/repair messages are save as .eml files. An attacker can use this vulnerability to gain unauthorized access.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1010 Nimda-infected web server readme.eml file vulnerability Threat Level: Information Signature Description: Nimda is a computer Worm that caused traffic slowdowns as it rippled across the Internet, spreading through four different methods, infecting computers containing Microsoft's Web server, Internet Information Server(IIS), and computer users who opened and e-mail attachment.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Microsoft Windows platforms, the LoadImage API routine is used to load an image from a file. The LoadImage API is included part of the USER 32 library. Microsoft Windows NT Server 4.0 SP6 and prior verions, Microsoft Windows XP Professional SP1 and prior verions are vulnerable. A lack of input validation on user supplied input to the LoadImage API routine may allow an integer overflow to occur.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1017 Microsoft Windows Media Player PNG Image Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2004-1244 Bugtraq: 12485 Signature Description: The Portable Network Graphics (PNG) format is an established image standard and well supported in applications that view images.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 operating systems. It supports a variety of playlist formats including .m3u and .pls. Apple iTunes 4.7 is vulnerable, a playlist allows a user to organize the order in which media files are played. In addition to media files, URLs to digital streams can be included in a
playlist. There is a buffer overflow vulnerability in the way iTunes parses URL entries in .m3u and .pls playlist files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 when the file is processed by Winamp. By convincing a user to open a specially crafted playlist file, a remote unauthenticated attacker may be able to execute arbitrary code. This can be achieved by creating a specially crafted web page or other HTML document that may launch Winamp without any user interaction. Users are advised to install newer version of Winamp.version 5.0.1 to 5.0.6 are prior versions are vulnerabe.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 application running in the webserver by detecting /AT-generated.cgi content in the URI. Excite for Web Servers (EWS) 1.1 is prone to this vulnerability Signature ID: 1031 AlienForm2 CGI directory traversal vulnerability Threat Level: Warning Industry ID: CVE-2002-0934 Bugtraq: 4983 Nessus: 11027 Signature Description: AlienForm2, developed by Jon Hedley, is a Web form to the email gateway written in Perl.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1035 CCBill WhereAmI.CGI Remote Arbitrary Command Execution Vulnerability Threat Level: Information Bugtraq: 8095 Signature Description: CCBill uses a CGI called whereami.cgi for its technical support needs, a vulnerability in the CGI it allows remote attackers to execute commands. Whereami.cgi is not properly validating the types of input parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1040 IWeb Hyperseek 2000 Directory Traversal Vulnerability Threat Level: Warning Industry ID: CVE-2001-0253 Bugtraq: 2314 Signature Description: IWeb Hyperseek Jackhammer is a Search Engine System. This Search Engine is a powerful Perl based script which helpfull to create and manage an online Pay per click search engine on website with complete support.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Alt-N Technologies provides affordable Windows-based software, including an email server, email antivirus and antispam protection, Outlook integration, and network fax management software. MDaemon protects your users from spam and viruses, provides full security, includes seamless web access to your email via WorldClient, remote administration. MDaemon/WorldClient Alt-N MDaemon 6.8.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1050 Talentsoft Web+ Example Script File Disclosure Vulnerability Threat Level: Information Bugtraq: 1725 Signature Description: Web+ is a development language for use in creating web-based client/server applications.In Linux versions of the product, an example script installed in Web+ (Web+Ping) which fails to correctly filter shell meta characters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1054 Drummon Miles A1Stats Directory Traversal Vulnerability Threat Level: Severe Industry ID: CVE-2001-0561 CVE-2001-0562 Bugtraq: 2705 Nessus: 10669 Signature Description: A1Stats is a CGI product by Drummon Miles used to report on a website's visitor traffic.
Drummond Miles A1Stats 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94
restricted resources. The problem occurs in the method in which the script checks input. A remote attacker can use the FORM method and send a request with file paramete, to execute arbitrary commands on the system with privileges of the Web server. No remedy available as of August 2008.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1063 Anyform CGI Semicolon Vulnerability Threat Level: Warning Industry ID: CVE-1999-0066 Bugtraq: 719 Signature Description: Any Form is a popular perl CGI script, this support simple forms that deliver responses via email. That is collects data from a WWW-Form and sends it to a specified e-mail address.
It can either use a sendmail type program or directly contact a SMTP host via sockets to send messages.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1069 Big Brother file browsing Vulnerability Threat Level: Warning Industry ID: CVE-1999-1462 Bugtraq: 142 Nessus: 10025 Signature Description: Big Brother is a loosely-coupled distributed set of tools for monitoring and displaying the current status of an entire network and notifying the admin should need be. Sean MacGuire Big Brother 1.0 9c and Sean MacGuire Big Brother 1.0 9b are vulnerable versions.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Big Brother is a loosely-coupled distributed set of tools for monitoring and displaying the current status of an entire network and notifying the admin should need be. Sean MacGuire Big Brother 1.0 9c and Sean MacGuire Big Brother 1.0 9b are vulnerable versions. In these verions the CGI script bb-rep.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1080 Matt Kruse Calendar Arbitrary Command Execution Vulnerability Threat Level: Warning Industry ID: CVE-2000-0432 Bugtraq: 1215 Signature Description: Matt Kruse's Calendar script is a popular, free perl cgi-script used by many websites on the Internet. It allows a website administrator to easily setup and customize a calendar on their website. Matt Kruse Calendar Script 2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1085 Bonsai CGI request reveals path information vulnerability Threat Level: Warning Industry ID: CVE-2003-0153 CVE-2002-0749 Bugtraq: 4579,5517 Nessus: 11748 Signature Description: Bonsai is tree control is a tool, that perform queries on the contents of a CVS archive; we can get a list of checkins, what checkins have been made by a given person, or on a given CVS branch, or in a particular time period.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1089 IBM Net.Data db2www.cgi Buffer overflow vulnerability Threat Level: Warning Industry ID: CVE-2000-0677 Signature Description: IBM Net.Data is a scripting language used to create web applications, it supports a wide range of language environments and is compatible with most recognized databases.Net. Data contains a vulnerability which reveals server information. IBM, Net.Data 6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: IBM Net.Data is a scripting language used to create web applications, it supports a wide range of language environments and is compatible with most recognized databases.Net.Data contains a vulnerability which reveals server information. Requesting a specially crafted URL, by way of the CGI application, comprised of an invalid request and known database, will reveal the physical path of server files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 would result in execution of the script code in the security context of the EmuMail site. Update latest verion may available at vendor website. Signature ID: 1098 Sambar Server environ.pl Cross-site Scripting Vulnerability Threat Level: Information Bugtraq: 7209 Signature Description: Sambar server is a multi-threaded, extensible application server. Sambar Server, version 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 craft an HTTP request that causes a buffer overflow condition on the web server, and can overwrite system memory with data included in the URL. The remote attacker will send large amounts of data, normally in some CGI programs, user supplied data is written to a staticly sized array, the received data is more than the declared array size buffer overflow will ocuur and overwrite adjacent areas of stack memory.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1107 Flexform access Vulnerability Threat Level: Information Signature Description: Flexform Software is available on OpenVMS computers. It is middleware used to produce documents directly from your OpenVMS applications(OpenVMS(Virtual Memory System)is a multi-user, multiprocessing virtual memory based operating system designed for use in time sharing, batch processing, real time and transaction processing).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 document purchase and view process. A malicious user could alter the content of getdoc.cgi links in order to bypass the payment page, thereby freely viewing documents that they would normally pay money to access. Signature ID: 1112 NetBSD global global.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 documents, etc. We have full control over pricing, shipping, taxation, transaction options, the look and feel of store. BizDesign ImageFolio 3.01 version is vulnerable, this version does not validate properly the user input values to imageFolio.cgi scripts, so there is possibility to inject script(XSS).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1124 WEB-CGI maillist.pl access Vulnerability Threat Level: Information Signature Description: Maillist allows people to send e-mail to one address, whereupon their message is copied and sent to all of the other subscribers to the maillist. This rule triggered when an attacker access to the maillist.pl script.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 containing "dot dot" sequences (/../) in the argument to the 'cfg=' parameter to traverse directories and view arbitrary files on the Web server. After received the request this script does not validate properly the user given inputs, then there is a chnce to read portions of arbitrary files. Signature ID: 1130 WEB-CGI newdesk access Vulnerability Threat Level: Information Signature Description: NEWDESK.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1135 Ipswitch IMail Server Mailbox Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2001-1283 Bugtraq: 3427 Signature Description: Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP, etc. Ipswitch IMail 7.0.4 is vulnerable version to a denial of service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 communications and information sites that are under one umbrella orginization for format. Like going into a nationwide grocery store, you know where items will be from store to store. WebCom datakommunikation Guestbook 0.1 is vulnerable version. A malicious user(remote attacker) could send a specially crafted request to rquest.exe, by specifying the path and filename as the parameter "template".
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 an attacker access to the rwwwshell.pl CGI script. This successful exploitation can allow an attacker to obtain a shell on the web server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1150 WEB-CGI shopping cart directory traversal vulnerability Threat Level: Information Industry ID: CVE-2000-0921 Bugtraq: 1777 Signature Description: Directory traversal vulnerability in Hassan Consulting shop.cgi shopping cart program allows remote attackers to read arbitrary files via directory traversal attack like ( ../ (dot dot slash)) with the page parameter. Hassan Consulting Shopping Cart 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1156 Interactive Story Directory Traversal Vulnerability Threat Level: Warning Industry ID: CVE-2001-0804 Bugtraq: 3028 Nessus: 10817 Signature Description: Valerie Mates Interactive Story 1.3 is vulnerable version, A remote attacker can set the 'next' field to a file name and use "dot dot" sequences (/../) to traverse directories and read any file on the system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1160 WEB-CGI technote print.cgi directory traversal attempt vulnerability Threat Level: Warning Industry ID: CVE-2001-0075 Bugtraq: 2156 Signature Description: Technote software for Technics, Roland, Yamaha, Casio and Hammond software, MIDI files, accessories, music, free downloads, forums and more. Technote Technote 2001/2000 versions are vulnerable, in these versions the 'print.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 and its subdirectories to change other user's passwords or assign elevated security privileges. Attacker can do operations on user_update_admin.pl. Signature ID: 1165 Blackboard CourseInfo 4.0 Database Modification Vulnerability Threat Level: Warning Industry ID: CVE-2000-0627 Bugtraq: 1486 Signature Description: Blackboard is a Web-based integrated teaching and learning environment.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1170 WEB-CGI webdist.cgi access vulnerability Threat Level: Warning Industry ID: CVE-1999-0039 Bugtraq: 374 Nessus: 10299 Signature Description: IRIX is a computer operating system developed by SGI to run natively on their 32-bit and 64bit MIPS architecture workstations and servers. The InfoSearch package converts man pages and other documentation into HTML web content, the search form uses infosrch.cgi.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Webstore is an shopping cart application which processes and manages online purchases. It is a website that sells products or services and typically has an online shopping cart associated with it.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 HTTP GET requests to the web interface by authenticated users. The attacker sending request contains an MS-DOS device name, as demonstrated using "prn.htm", then this remote attacker could cause the program to crash. Signature ID: 1179 NetScreen SA 5000 delhomepage.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 added to the system (doesn't log POST data). Inaddition, the requests in the web log file all have HTTP response code 200, which usually doesn't indicate problems in error_log. Signature ID: 1186 Mailman directory traversal attempt vulnerability Threat Level: Warning Industry ID: CVE-2005-0202 Signature Description: Mailman is free software for managing electronic mail discussion and e-newsletter lists.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1195 Nsconfig access Vulnerability Threat Level: Information Signature Description: .nsconfig file is used by Netscape Web server for configuration directives. It is a simple text file which contains information about the exactly which folders have password protecting. Without this file we cannot password protect directories. This rule will trigger's when an attacker probes for the .nsconfig file.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1201 ECWare CGI Denial Of Service Vulnerability Threat Level: Information Bugtraq: 6066 Signature Description: ECware is Electronic Commerce Software for Windows NT that provides merchants with the ability to sell physical and digital products over the Internet with real-time credit card authorizations. ECware ,version 4.0.0 and 5.0.0, is a denial of service vulnerability. The issue is triggered in the ECware.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1206 Admin_files directory access Vulnerability Threat Level: Information Signature Description: Shopping cart programs can use admin_files directory for storing configuration files. This rule detects when an attacker attempting to access the admin_files directory. This successful exploitation can allow an attacker to gain unauthorized information and scanning web server for installed applications.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator through BigBrother /bb-hostsvc.sh access. Sean MacGuire Big Brother 1.4 H ,Sean MacGuire Big Brother 1.4 g ,Sean MacGuire Big Brother 1.4,Sean MacGuire Big Brother 1.3,Sean MacGuire Big Brother 1.2,Sean MacGuire Big Brother 1.1,Sean MacGuire Big Brother 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 possible to deny service to users of this line of phones. By placing a request to the /StreamingStatistics script with a stream ID of arbitrarily high value, the phone will reset itself, creating the inability to place or receive calls for a period of up to thirty seconds.
This has been reportedly reproduced by passing stream ID values of greater than 32768, and consistently reproduced with a value of 120000.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 overflow, however it has not been confirmed whether this issue is exploitable to corrupt memory. The problem may in fact be the result of a NULL pointer dereference. Signature ID: 1220 Trend Micro InterScan ContentFilter.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1225 Mountain-net WebCart Exposed Orders Vulnerability (2) Threat Level: Warning Industry ID: CVE-1999-0610 Bugtraq: 2281 Nessus: 10298 Signature Description: WebCart is a web commerce product provided by Mountain Network Systems, Inc. Certain poorly configured default installations leave customer order information in remotely accessible text files, including credit card details and other sensitive information.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1229 ICQ webserver Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-1999-0474 Signature Description: Web server is a computer with a boot device or other disk containing a web site. A remote attackers could send a request by using "dot dot"(../) sequence to access arbitrary files outside of the user's personal directory.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator through L3retriever HTTP Probe. Signature ID: 1234 Linksys router default username and password login attempt Vulnerability Threat Level: Warning Nessus: 10999 Signature Description: LinkSys router is the general design is similar across all models.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1239 McAfee ePO file upload attempt Vulnerability Threat Level: Information Industry ID: CVE-2004-0038 Bugtraq: 10200 Signature Description: McAfee's ePolicy Orchestrator server is responsible for distributing packages and code to ePolicy agents. McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 is vulnerable to a remote code execution.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 administrative privileges to the NETObserve application which can be used to manage other remote client machines. ExploreAnywhere Software NETObserve 2.0 is prone to this vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1248 Oracle iSQLPlus login.uix username overflow Vulnerability Threat Level: Warning Industry ID: CVE-2004-1362 Bugtraq: 10871 Signature Description: A database server is a computer program that provides database services to other computer programs or computers, as defined by the client-server model. Database management systems frequently provide database server functionality.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 traversal style attacks (../../) supplied via the URI. This issue is fixed in Cisco PIX Firewall(4.2.2, 4.1.6 b). Administrators are advised to update latest version to resolve this issue. Signature ID: 1252 PeopleSoft PeopleBooks psdoccgi.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1256 Martin Hamilton ROADS File Disclosure Vulnerability Threat Level: Warning Industry ID: CVE-2001-0215 Bugtraq: 2371 Nessus: 10627 Signature Description: The search.pl program is a Common Gateway Interface(CGI) program used to provide an end user search front end to ROADS databases. When accessed with no CGI query, the program can return an HTML form to the user to fill in to make a query.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1260 SiteWare Editor Desktop Directory Traversal Vulnerability Threat Level: Warning Industry ID: CVE-2001-0555 Bugtraq: 2868,2869 Signature Description: SiteWare Editor's Desktop is a web-based administration tool for manipulating ScreamingMedia content on a SiteWare web server. Screaming Media SiteWare 3.1, Screaming Media SiteWare 3.0 2, Screaming Media SiteWare 3.0 1, Screaming Media SiteWare 3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1264 Niti Telecom Caravan Business Server Remote Directory Traversal Vulnerability Threat Level: Warning Industry ID: CVE-2004-2170 Bugtraq: 9555 Signature Description: Caravan Business Server is used to develop web applications. Niti Telecom Caravan Business Server 2.00-03D is vulnerable to directory traversal attack.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 contain a buffer overflow vulnerability, A malicious user will send a overly long arguments to SpamExcp.dll script, then it could allow an attacker to execute arbitrary code within the Local System context. Then the attacker can reconfigure its settings. Patches are available at vendor website.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1273 Apache Tomcat Servlet Path Disclosure Vulnerability Threat Level: Warning Industry ID: CVE-2002-2006 CVE-2002-2006 Bugtraq: 4575 Nessus: 11046 Signature Description: Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process. Apache Software Foundation Tomcat 4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1277 Eagletron TrackerCam 'User-Agent' Field Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2005-0478 Bugtraq: 12592 Signature Description: TrackerCam is the official software for TrackerPod, a robotic tripod used to provide movement to a webcam but this software can be used with any webcam. TrackerCam version 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1282 Trend InterScan VirusWall Remote Reconfiguration Vulnerability Threat Level: Warning Industry ID: CVE-2001-0432 CVE-2001-0791 Bugtraq: 2808,2579 Nessus: 10733 Signature Description: Trend Micro's InterScan VirusWall blocks viruses, malicious applets and ActiveX objects at the Internet gateway, and provides real-time scanning for all inbound and outbound SMTP, HTTP and FTP file transfers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Native Solutions, The Banner Engine (tbe) 4.0 and prior are vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using the 'adminlogin', 'adminpass' or 'text' parameter to execute script in a victim's Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim's cookie-based authentication credentials.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1291 Answerbook2 arbitrary command execution Threat Level: Information Industry ID: CVE-2000-0697 Bugtraq: 1556 Signature Description: Sun Microsystems Solaris AnswerBook2 versions 1.4.2 and prior contains a flaw that may allow a malicious user to create an arbitrary account. This vulnerability is due to the insufficient input validation for cgi scripts in the administration interface of Answerbook2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1298 PCCS Mysql Database Admin Tool Username/Password Exposure Vulnerability Threat Level: Warning Industry ID: CVE-2000-0707 Bugtraq: 1557 Signature Description: The PCCS-Linux MySQL Database Admin Tool is a Web-based front-end to the MySQL database server written in PHP. PCCS-Linux MySQLDatabase Admin Tool 1.2.4, PCCS-Linux MySQLDatabase Admin Tool 1.2.3 are vulnerable to Gain access.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 versions are prone to a vulnerability that allows attackers to overwrite the GLOBAL variable via HTTP POST requests. This vulnerability will occur by the weakness in the file upload code, that allows modifying (i.e.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Helix Player is the Helix Community's open source media player for consumers. The RealPlayer for Linux is built on top of the Helix Player for Linux and includes support for several non-open source components including RealAudio/RealVideo, MP3 etc., Real HelixPlayer and RealPlayer 10 version contains format string vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1310 Mozilla Firefox iframe.contentWindow.focus Deleted Object Reference Vulnerability Threat Level: Severe Industry ID: CVE-2006-1993 Bugtraq: 17671 Signature Description: Mozilla Firefox is a free, open source, cross-platform graphical web browser. Firefox provides a facility to load the web pages in sidebar web panel. Mozilla Firefox version 1.5.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1315 ICat Carbo Server File Disclosure Vulnerability Threat Level: Warning Industry ID: CVE-1999-1069 Bugtraq: 2126 Signature Description: ICat Electronic Commerce Suite is an application which enables a user to create and manage web based catalogues. carbo.dll in iCat Electronic Commerce Suite 3.0 allows remote attackers to read arbitrary files via directory traversal using relative path.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 would typically be involved, it was thought, in facilitating the management of Web-facing content. It is designed to run on Microsoft Windows NT Server platforms. Microsoft Site Server (Commerce Edition) versions 3.0 SP4 i386 ,3.0 SP4 alpha,3.0 SP3 i386,3.0 SP3 alpha,3.0 SP2 i386,3.0 SP2 alpha,3.0 SP1 i386,3.0 SP1 alpha,3.0 i386,3.0 alpha,3.0 SP4 i386,3.0 SP4 alpha,3.0 SP3 i386,3.0 SP3 alpha,3.0 SP2 i386,3.0 SP2 alpha,3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1325 EditTag edittag.pl File Disclosure Vulnerability Threat Level: Warning Bugtraq: 6675 Signature Description: EditTag is a script which facilitates website content management. EditTag allows users to edit pages using a web interface, but restricts editing to specific tagged areas of the document.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 MySQL database on backend for all data handling. PHP-Survey, 20000615 and prior, could allow a remote attacker to gain sensitive information. This issue is triggered when an attacker submits an HTTP request for the global.inc file(Global.inc holds the database information, and it contains user names, passwords).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1335 Htgrep access attempt vulnerability Threat Level: Warning Industry ID: CVE-2000-0832 Signature Description: Htgrep is a cgi-bin script written in perl, and can be used with any http server that supports cgibin scripts. Linux, Kernel and Microsoft, Windows NT 4.0 and Various vendors, Unix are vulnerable to obtain sensitive information, the vulnerability existed in Htgrep CGI.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 is made to login to see the files and folders in the repository. Owl Intranet Engine version 0.71 is vulnerable to Login bypass due to an error in the validation of user credentials supplied to the PHP script 'browse.php'. This can be exploited by a malicious person to bypass user authentication by requesting the affected PHP script and supply an invalid username.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1344 EZMall2000 Credit Card Exposure Vulneribility Threat Level: Warning Industry ID: CVE-1999-0606 Bugtraq: 2266 Signature Description: EZMall 2000 is an e-commerce application designed to handle the online purchases of products by customers. However,when the package is improperly configured, search engines may index the data of customers, including sensitive information such as credit card numbers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1349 Nessus 2.x 404 probe Vulnerability Threat Level: Information Nessus: 10386 Signature Description: Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the user inputs through the uri, so a malicious user(remote attacker) could exploit this vulnerability by sending arbitrary Perl code to the Web server using an HTTP POST request. Patches are available at novell website.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 obtain a listing of the packages, and versions of packages, installed on this system. Remote attackers may use this information to identify what vulnerable software packages have been installed. Signature ID: 1360 Solaris sadmind Buffer Overflow Vulnerability Threat Level: Information Signature Description: Sadmind is designed to provide remote system administration operations and it is installed by default.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 content, and mail delivery. It can be managed through a web-based console interface. Trend Micro, InterScan eManager 3.51 and Trend Micro, InterScan eManager 3.51J versions are vulnerable, it is a stack-based vulnerability. Several CGI components of eManager contain a buffer overflow vulnerability which could allow an attacker to execute arbitrary code within the Local System context.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Unify's eWave ServletExec is a JSP and a Java Servlet engine which is to be used as a plug-in to popular web servers like Apache, IIS, Netscape. By using this possible to send a URL request which causes the ServletExec servlet engine to terminate abruptly. Unify eWave ServletExec version 3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 indexed by numerous search engines.
By default there are some files or directories which are world readable. This misconfiguration may allow an attacker to gather the credit card numbers of clients.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 (/../) sequences in the URL, a remote attacker can traverse directories on the Web server to view any file that is accessible to the web_store.cgi script.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 LE versions, allowing passwords to be saved as part of a saved site configuration. Attacker can access ws_ftp.ini file from outside the network may cause discloser of sensitive information.
The passwords are stored in the .ini files located in the WS_FTP folder, these passwords are encrypted but the encryption method is weak and can be broken.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1393 Sql Injection attempt with xp_regdeletekey vulnerability Threat Level: Warning Signature Description: Windows allows the execution of Windows shell commands through the SQL Server. The access rights with which these commands will be executed are those of the account with which SQL Server is running, usually Local System.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 execute arbitrary code on the system and take complete control over the victim's system. This signature detects access to MSWC.MyInfo.1 COM object of MyInfo ASP Component - 'MyInfo.dll'. Signature ID: 1398 Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability Threat Level: Warning Industry ID: CVE-2005-2831 Bugtraq: 15827 Signature Description: Microsoft Internet Explorer 5.01, 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1402 Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability Threat Level: Warning Industry ID: CVE-2006-5162 Bugtraq: 19092 Signature Description: Internet Explorer is a graphical web browser developed by Microsoft. Microsoft Internet Explorer version 6.x is vulnerable to a denial of service via a stack-based buffer overflow in wininet.dll.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1406 Microsoft Internet Explorer IFRAME Status Bar URI Spoofing Vulnerability Threat Level: Warning Industry ID: CVE-2005-4679 CVE-2004-1121 CVE-2005-3699 CVE-2005-4678 Bugtraq: 11590 Signature Description: Internet Explorer 6 for Windows XP Service Pack 2 is vulnerable to URI spoofing, Microsoft Internet Explorer can not handle embedded frames with links surrounded by an other link.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1412 Mozilla Firefox Deleted Object Reference Vulnerability Threat Level: Warning Industry ID: CVE-CVE-2006-1993 Bugtraq: 17671 Signature Description: Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 code to read and browse files on a local machine. By doing so, a remote attacker could overflow a buffer and execute arbitrary code on the system, once the file is opened.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1422 HTML Winhlp32.exe Remote Buffer Overflow Vulnerability Threat Level: Critical Industry ID: CVE-2002-0823 Bugtraq: 4857 Signature Description: HTML Help makes use of the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX control is used to provide navigation features (such as a table of contents), to display secondary windows and pop-up definitions, and to provide other features.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 exploit this vulnerability by creating a malicious Web page or an HTML e-mail message and then persuading the user to visit the page or to view the HTML e-mail message.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 interface Webtool which acts as a HTTP server is provided with MaxDB. A remote buffer overflow vulnerability exists in the way Webtool component handles the Lock-token string for UNLOCK method in a HTTP request. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Successful exploitation of this vulnerability can lead to the Java "sandbox" being disabled. Sun JRE (Solaris Production Release) 1.3.1 and prior versions are vulnerable. Signature ID: 1434 MySQL MaxDB Webtool HTTP POST request Stack Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2005-0684 CVE-2005-0684 Bugtraq: 13368,13369 Signature Description: MySQL MaxDB is a heavy-duty, SAP-certified open source database.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Microsoft DHTML events are special actions that are provided by the DHTML Object Model. Drag-and-Drop technology incorrectly validates some dynamic HTML (DHTML) events. DHTML Drag-and-Drop events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 in the Firefox sidebar. A vulnerability exists in Mozilla Firefox versions prior to 1.0.3 caused by improper validation of user-supplied information in the processing within the Sidebar _search target. By convincing a user to open a privileged page (like 'about:config' or 'about:plugins'), then use a ('javascript:' or 'data:') URL to access the privileged data or install arbitrary code on victim's computer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 code, Mozilla browsers do not update window.location property correctly. An attacker can create a javascript: URI containing eval(), cause the user to visit a web site in a different domain, and then programmatically cause the web browser to return to the previous javascript: page to trigger the cross-domain violation. The violation will also occur if the user manually clicks the "Back" button to return to the javascript: page.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1448 Microsoft Internet Explorer JPEG Image Rendering Library Memory Corruption Vulnerability Threat Level: Warning Industry ID: CVE-2005-1988 CVE-2005-2308 Bugtraq: 14282,14284,14285,14286 Signature Description: The Image rendering library that is used to display JPEG files in Internet Explorer doesn't properly handle crafted JPEG images. The vulnerability specifically exists in mshtml.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 AVI files contain multiple streams of different types of data. The stream name chunk (strn) contains a name for the stream. Windows Media Player uses QUARTZ.DLL (DirectShow runtime library) to decode and play AVI movie files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 handles the creation of console windows and the properties associated with the windows such as size, font, color, etc. Console windows properties can be set by selecting Properties on window system menu, setting the values you want and then saving the changes.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1458 Microsoft Internet Explorer CHM File Execution via URL specified for ShowHelp Method Vulnerability Threat Level: Warning Industry ID: CVE-2003-1014 CVE-2004-0475 CVE-2004-0201 CVE-2003-1041 Bugtraq: 9320,10348,10705 Signature Description: Microsoft Internet Explorer is vulnerable to a file execution vulnerability that may permit unauthorized execution of locally stored compiled help files (.CHM).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attempting to calculate the buffer space allowed for copying the base url. This also leads to a heap based overflow when the string provided as first parameter is concatenated onto the end of the BaseUrl. Successful exploitation could execute arbitrary code with the privileges of the user logged on to the target machine.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: A vulnerability in the default installation of Apache HTTP Server versions 2.0 through 2.0.39 could allow a remote attacker to traverse directories on the Web server and view and execute files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1507 Microsoft Internet Explorer Object Type Validation Vulnerability Threat Level: Warning Industry ID: CVE-2003-0532 Bugtraq: 8456 Signature Description: Microsoft Internet Explorer is the most widely used World Wide Web browser. It was developed by Microsoft. Microsoft Internet Explorer(IE) will execute an HTML Application referenced by the DATA attribute of an OBJECT element.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1513 Internet explorer WebViewFolderIcon ActiveX Code Execution Vulnerability(1) Threat Level: Warning Industry ID: CVE-2006-3730 Bugtraq: 19030 Signature Description: Microsoft Internet Explorer is the most widely used World Wide Web browser. It is developed by Microsoft. Microsoft Internet Explorer (Microsoft Internet Explorer version 6 on Windows XP SP2) is a integer underflow vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1526 Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2006-5745 Bugtraq: 20915 Signature Description: Microsoft XML Core Services (MSXML) allow developers who use applications such as JScript, Visual Basic Scripting Edition (VBScript), and Microsoft Visual Studio to create XML-based applications.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1530 WinZip FileView ActiveX Control Unsafe filepattern() Method Exposure Vulnerability(3) Threat Level: Warning Industry ID: CVE-2006-5198 Bugtraq: 21060 Signature Description: Winzip is a proprietary file archiver and compressor for Microsoft windows, developed by WinZip Computing (Nico Mak Computing). Winzip's FileView ActiveX control version 10.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Kazaa and Grokster. Vulnerable to Altnet Download Manager 4.0.0.2 and prior, Altnet Download Manager 4.0.0.4. No remedy available as of July 6, 2008. Signature ID: 1535 Altnet Download Manager Buffer Overflow Vulnerability(2) Threat Level: Severe Industry ID: CVE-2004-2433 Bugtraq: 11101 Signature Description: This vulnerability is caused due to a boundary error within the IsValidFile() method in the ADM ActiveX control.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1539 Microsoft Internet Explorer ADODB.Connection Execute() Memory Corruption Vulnerability(3) Threat Level: Warning Industry ID: CVE-2006-5559 Bugtraq: 20704 Signature Description: Microsoft ActiveX Data Objects (ADO) are objects that expose data raised by an underlying OLE DB provider. The ADODB.Connection ActiveX control (ADODB.Connection.2.7 and ADODB.Connection.2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1543 Microsoft Internet Explorer DXImageTransform.Microsoft.Light ActiveX Arbitrary Code Execution Vulnerability(1) Threat Level: Warning Industry ID: CVE-2006-2383 Bugtraq: 18303 Signature Description: Microsoft Directx is a collection of industry-leading technologies designed to deliver the most advanced, stable, and visually impressive graphics experience on Microsoft platforms.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1547 Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX Arbitrary Code Execution Vulnerability Threat Level: Warning Industry ID: CVE-2006-1303 Bugtraq: 18328 Signature Description: Microsoft Directx is a collection of industry-leading technologies designed to deliver the most advanced, stable, and visually impressive graphics experience on Microsoft platforms.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1551 Microsoft Internet Explorer DirectAnimation.DATuple ActiveX Arbitrary Code Execution Vulnerability(1) Threat Level: Severe Industry ID: CVE-2006-3638 Bugtraq: 19340 Signature Description: Microsoft Internet Explorer(IE) allows instantiation of COM objects not designed for use in the browser. Microsoft IE does not properly handle uninitialized COM objects.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the Internet Explorer browser, a remote attacker could overflow a buffer and execute arbitrary code on the system with permissions of the victim user. An attacker could exploit this vulnerability by hosting the file on a web site or sending it to a victim as an email attachment. user can set killbit to the clsid corresponding to the progid PeerDraw.PeerDraw.1 to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 TRACK. The HTTP TRACK method asks a web server to echo the contents of the request back to client for debugging purpose. By sending a specially-crafted HTTP TRACK request, a remote attacker may abuse HTTP TRACK functionality to gain access to information in HTTP headers such as cookies and authentication data. Upgrade the latest version at vendor's website.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 .HTR, .STM, and .IDC files are processed. IIS version 4.0 can perform various server-side processing with specific file types. When a web site visitor requests a file of one of these types, an appropriate filter DLL processes it. By sending a malformed request, an attacker can overflow a buffer and cause the service to crash or execute arbitrary code. Install the update issued in Microsoft Security Bulletin MS99-019.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1711 WEB-IIS /StoreCSVS/InstantOrder.asmx request Vulnerability Threat Level: Information Signature Description: Microsoft IIS(Internet Information Server) is a group of Internet servers including Hypertext Transfer Protocol service and a File Transfer Protocol service. It was developed
by Microsoft. InstantOrder.asmx provides automated ordering services.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1719 Microsoft Data Access Components RDS Buffer Overflow Vulnerability Threat Level: Information Industry ID: CVE-2002-1142 Bugtraq: 6214 Signature Description: Microsoft Data Access Components (MDAC) is a collection of utilities and routines to process requests between databases and network applications. A buffer overflow vulnerability exists in the Remote Data Services (RDS) component of MDAC 2.1 through 2.6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 sites. There exists a vulnerability in NewsPro 1.01 that allows a remote attacker to gain unauthorized access to the application. This vulnerability allows the attacker to set their authentication cookie to "logged,true" to gain unauthorized administrator access to NewsPro. No remedy available as 2008.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1728 SmarterTools SmarterMail login.aspx Buffer Overflow Vulnerability Threat Level: Information Industry ID: CVE-2004-2587 Signature Description: SmarterTools SmartMail is a mail server application for Microsoft Windows. SmarterMail 1.6.1511 and 1.6.1529 uses the file "login.aspx" to authenticate a valid user. The file 'login.aspx' uses post method and takes txtusername parameter which is prone to buffer overflow.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1733 Microsoft Windows ntdll.dll Buffer Overflow with IIS WebDAV request vulnerability Threat Level: Information Industry ID: CVE-2003-0109 Bugtraq: 7116 Nessus: 11413,11412 Signature Description: Microsoft Windows contains ntdll.dll which is a core operating system component used to interact with the Windows kernel. A buffer overflow vulnerability exists in ntdll.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 anot*.htr file. Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote password changes. The iisadmpwd directory has several .HTR files (achg.htr, aexp*.htr, and anot*.htr)that are used to implement the password changes.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 accessible if maliciously placed in the web server's root directory or an attacker performs unauthorized directory traversal. This may permit the attacker to execute arbitrary commands on the vulnerable server. Signature ID: 1744 Microsoft IIS .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1750 WEB-IIS exec-src access Vulnerability Threat Level: Information Signature Description: Microsoft IIS(Internet Information Server) is a group of Internet servers including Hypertext Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This rule will tries to detect when the .exe is found in content while accessing a web server run by IIS.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1755 Microsoft IIS 4.0 Buffer Overflow while processing .HTR, .STM and .IDC files Vulnerability Threat Level: Information Industry ID: CVE-1999-0874 Bugtraq: 307 Signature Description: Microsoft Internet Information Server (IIS) version 4.0 is vulnerable to a denial of service attack caused by a buffer overflow involving the way that .HTR, .STM, and .IDC files are processed. IIS version 4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 services. It includes a component named RDS (Remote Data Services) which allows remote access via the internet to database objects through IIS. Microsoft Data Access Components (MDAC) versions 2.1 and earlier, in the default configuration, could allow a remote attacker to access OLE database sources.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1768 WEB-IIS query.asp access Vulnerability Threat Level: Information Industry ID: CVE-1999-0449 Bugtraq: 193 Nessus: 10002 Signature Description: Microsoft IIS(Internet Information Server) is a group of Internet servers including a Web or Hypertext Transfer Protocol server and a File Transfer Protocol server. It was developed by Microsoft. Microsoft IIS(Microsoft IIS version 4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1774 Microsoft Index Server 'srchadm' file access Vulnerability Threat Level: Information Nessus: 11032 Signature Description: The Microsoft Indexing Server comes as part of Windows 2000, Windows XP and Windows 2003 and does not require any additional licensing. Indexing Server is provides search capabilities.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 software. RSA Authentication Agent for Web for IIS contains a heap overflow vulnerability. When a Web client sends a Hyper Text Transfer Protocol (HTTP) request to an IIS Web server, IIS parses the Uniform Resource Locator (URL), and passes it to SecurID. SecurID then authenticates the remote user. If the user passes authentication, SecurID grants permission to access the server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: ColdFusion is a programming language based on standard HTML(Hyper Text Markup Language) that is used to creating and serving web-based applications that interact with back-end databases. Web pages that interact with ColdFusion application servers have a .cfm file extension. ColdFusion Web pages include tags written in Cold Fusion Markup Language(CFML). ColdFusion(ColdFusion versions 3.x and 4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 based, server scripting language that is ideal for programming web applications. The ColdFusion Markup Language(CFML) cleanly integrates with HTML(Hyper Text Markup Language) for user interface and XML for data exchange. ColdFusion(ColdFusion version 4.0, and 4.0.1) uses a CFCACHE tag. When the CFCACHE tag is used in CFM page, it creates temprory files and also creates a cfcache.map files(which contains pointers to the .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 that interact with ColdFusion application servers have a .cfm file extension. ColdFusion Web pages include tags written in Cold Fusion Markup Language(CFML). ColdFusion(ColdFusion versions 3.x and 4.x) server include undocumented CFML(ColdFusion Markup Language) tags and functions that are used in the ColdFusion Administrator.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 ColdFusion( 4.5,4.0.1,4.0) are vulnerable to path disclosure. Undocumented CFML tags in ColdFusion will allow an remote attacker to gain unauthorized access to administrative privileges, including registry and advanced security settings. This rule will triggers when an attempt is made to send cfdocs/exampleapp/email/application.cfm pattern. This issue is fixed in Allaire ColdFusion Server 4.5.1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 undocumented CFUSION_GETODBCINI() function, could be used by an attacker to gets ODBC data source information from the registry. Signature ID: 1820 WEB-COLDFUSION gettempdirectory.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1824 WEB-COLDFUSION sendmail.cfm access Vulnerability Threat Level: Information Industry ID: CVE-2001-0535 CVE-1999-0760 Bugtraq: 550 Signature Description: ColdFusion is an application server and software development framework used for the development of computer software in general, and dynamic web sites. ColdFusion is a similar product to Microsoft ASP.NET, JavaServer Pages or PHP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1828 WEB-JBrowser PHP /_admin access vulnerability Threat Level: Information Industry ID: CVE-2007-1156 Bugtraq: 9537 Nessus: 12032 Signature Description: JBrowser is a French program that allows a user to create miniature gallery images for Microsoft Windows operating systems. JBrowser versions 2.4 and earlier are vulnerable Unauthorized access.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 'pollvars[lang]' variables, which would allows remote attacker to read arbitrary files or inject arbitrary local PHP files. No remedy available as of August, 2008. Signature ID: 1833 WEB-PHP Advanced Poll admin_license.php access Vulnerability Threat Level: Information Industry ID: CVE-2003-1180 Bugtraq: 8890 Nessus: 11487 Signature Description: Advanced poll is a freely available, open source PHP web application.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 malicious PHP files. By sending a specially-crafted URL request to the admin_settings.php script using 'base_path' or 'pollvars[lang]' variables, which would allows remote attacker to read arbitrary files or inject arbitrary local PHP files. No remedy available as of August, 2008. Signature ID: 1838 WEB-PHP Advanced Poll admin_stats.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Unix, Linux, and Microsoft operating systems. Advanced Poll version 2.0.2 could allow a remote attacker to include malicious PHP files. By sending a specially-crafted URL request to the admin_tpl_new.php script using 'base_path' or 'pollvars[lang]' variables, which would allows remote attacker to read arbitrary files or inject arbitrary local PHP files. No remedy available as of August, 2008.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1850 WEB-PHP DCP-Portal remote file include editor script vulnerability Threat Level: Warning Industry ID: CVE-2006-4837 Bugtraq: 6525,20024 Signature Description: DCP-Portal is a content management system that enables various web based updates. It enables an administrator to remotely manage the entire site, and allow members to submit news or content and reviews etc. DCP-Portal(DCP-Portal version 6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 arbitrary code on a vulnerable system by supplying a path to a malicious file on a remote system via the "$IP" variable. Affected versions are MediaWiki-stable 20031107 and MediaWiki-stable 20030829. This signature detects access to GlobalFunctions.php. Signature ID: 1856 WEB-PHP IGeneric Free Shopping Cart page.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1860 WEB-PHP Invision Board ipchat.php file include Vulnerability Threat Level: Warning Industry ID: CVE-2003-1385 Bugtraq: 6976 Signature Description: Invision Board is web forum software. It is implemented in PHP and it is available for Unix and Linux and Microsoft Windows operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 request to the index.php script using the 'file' variable, which would cause arbitrary commands to be executed on the local shell of the host running the vulnerable Web site with privileges of the Web server process. Upgrade to the latest version of PHP-Nuke(5.5 or later), available at vendor's website.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1869 PayPal Store Front index.php Remote File Include Vulnerability Threat Level: Warning Bugtraq: 8791 Nessus: 11873 Signature Description: PayPal is an online shopping cart system that lets anyone with an email address securely send and receive online payments using their credit card or bank account. PayPal requires PHP4 and MySQL database on a Unix or Linux-base operating system. PayPal(PayPal version 3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Phorum is a freely available, open source, popular WWW Board written by Brian Moon.A problem with the package allows users access to any resources within the bulletin board system. Any file that is access controlled by the auth.php3 script may be accessed, due to a backdoor password written into the script auth.php3. The password "boogieman" will permit users to access files controlled by auth.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1878 WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation Vulnerability Threat Level: Information Industry ID: CVE-2004-0030 Bugtraq: 9368 Nessus: 11982 Signature Description: PHPGedView(PGV) is a free PHP-based web application for working with genealogy data on the internet. PHPGedView has full editing capabilities, can import from GEDCOM files, and supports the multimedia.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1882 WEB-PHP PhpGedView search.php access Vulnerability Threat Level: Information Industry ID: CVE-2004-0032 Bugtraq: 9369 Nessus: 11982 Signature Description: PHPGedView(PGV) is a free PHP-based web application for working with genealogy data on the internet. PHPGedView has full editing capabilities, can import from GEDCOM files, and supports the multimedia. PHPGedView(PHPGedView version 2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 to include remote files on the system. By sending a specially-crafted URL request to the 'translation.php' script that specifies a remote file using the 'ONLY' parameter, a remote attacker could use this vulnerability and execute arbitrary code on the system. Upgrade the latest version, available at vendor's website. Signature ID: 1887 WEB-PHP MediaWiki UpdateClasses.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1891 WEB-PHP WebChat english.php file include Vulnerability Threat Level: Information Industry ID: CVE-2007-0485 Bugtraq: 7000,22153 Signature Description: WebChat is an open-source PHP-based chat program, developed by Webdev. WebChat version 0.77 could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the defines.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 to a crash.Successful exploitation of this issue may allow an attacker to cause the software to crash or hang. Upgrade the lates version of E107, which available at vendor's website. Signature ID: 1899 WEB-PHP content-disposition memchr overflow Vulnerability Threat Level: Information Industry ID: CVE-2002-0081 Bugtraq: 4183 Nessus: 10867 Signature Description: PHP is a scripting language widely used in web development.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Pod.board is a web-based portal/forum system. Implemented in PHP, The pod.board 'forum_details.php' script does not sufficiently sanitize data supplied via URI Parameters 'user_homepage', 'user_location', 'user_nick' and 'user_signature'and the corresponding input fields are not properly sanitized of HTML tags.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1908 WEB-PHP myphpPagetool pt_config.inc file include Vulnerability Threat Level: Warning Bugtraq: 6744 Signature Description: MyphpPagetool is an application used to maintain a web site using a mysql database, which stores and manage all web pages and their contents. myphpPagetool is written in PHP and is available for a variety of platforms.myphpPageTool 0.4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 between the victim server and other hosts can be exploited by the attacker. phpBB Advanced Quick Reply Hack 1.1.0 and phpBB Advanced Quick Reply Hack 1.0.0 are vulnerable. Signature ID: 1913 WEB-PHP phpbb quick-reply.php arbitrary command Vulnerability Threat Level: Warning Industry ID: CVE-2002-2287 Bugtraq: 6173 Signature Description: PhpBB Advanced Quick Reply Hack is a freely available phpBB modification.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 visitor opens the page, the server processes the PHP commands and then sends the results to the visitor's browser. This rule will triggers when an attacker request to the '.php' files with the 'path' parameter. The successful exploitation of this issue will allow an attackers to execute arbitrary PHP code.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 available for Linux and Unix based operating systems. SquirrelMail allows for extended functionality through a plugin system. A vulnerability has been reported in some versions of SquirrelMail, it is possible to corrupt the variable used to select a user's theme, through maliciously constructed cookie data and force the vulnerable script to execute arbitrary commands. Signature ID: 1924 WEB-PHP W4 Server Cgitest.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1930 WEB-FRONTPAGE contents.htm access Vulnerability Threat Level: Warning Signature Description: Microsoft FrontPage Server Extensions 2002 and prior version have serious security vulnerabilities which could enable an attacker to run arbitrary code on a user's system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1935 WEB-FRONTPAGE fpremadm.exe access Vulnerability Threat Level: Warning Signature Description: Fpremadm uses Fpadmdll.dll, which is the same server-side ISAPI program as the HTML Administration Forms. Fpremadm is the utility that actually lets you administer FrontPage Server Extensions remotely. The Fpremadm utility interface is based on the administration utility Fpsrvadm.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1940 WEB-FRONTPAGE register.htm access Vulnerability Threat Level: Warning Signature Description: Microsoft Frontpage Extensions on IIS or Apache web servers are vulnerable to Information Disclosure vulnerability.The web server may allow remote users to read sensitive information from .htm files.By submitting a request for one of the vulnerable files by way of '/_private/register.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1947 WEB-FRONTPAGE services.cnf access Vulnerability Threat Level: Warning Industry ID: CVE-2002-1717 Bugtraq: 4078 Nessus: 10575 Signature Description: Microsoft Frontpage Extensions on IIS 5.1 or Apache web servers are vulnerable to Information Disclosure vulnerability.The web server may allow remote users to read sensitive information from .cnf files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 1952 MS Internet Explorer ActiveX bgColor Property Denial of Service Vulnerability Threat Level: Severe Industry ID: CVE-2007-0612 Bugtraq: 22288 Signature Description: Microsoft's Internet Explorer 5.0 or above version on Windows 2000, XP, 2003 and Vista are vulnerable to denial of service attacks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Some SMTP servers do not complain when issued the command : MAIL FROM: |testing . This probably means that it is possible to send mail that will be bounced to a program, which is a serious threat, since this allows anyone to execute arbitrary command on this host. This security hole might be a false positive, since some MTAs will not complain to this test, but instead just drop the message silently.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerable to a denial of service attack.attacker sends a malformed BDAT data transfer command to an affected server, the attacker can cause the SMTP service to fail. The SMTP service must be restarted to regain normal functionality.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2016 Sendmail program piped aliases check with expn and "news" Threat Level: Information Signature Description: An attacker can collect information about sendmail aliases that are piped to programs. It is common to define aliases that pipe received mail to a program for processing. This signature detects attacks, when the Sendmail program send command is expn with argument is NEWS.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2023 Sendmail 8.6.12 Denial of Service Vulnerability Threat Level: Information Signature Description: SMTP(Simple Mail Transfer Protocol) is a TCP/IP protocol. It is used to transfer e-mail
messages between computers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another. This signature detects the content '8.6.12'. This 8.6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2029 Sendmail (8.8.3/8.8.4) MIME buffer overflow check with version of 8.8.4 Threat Level: Information Industry ID: CVE-1999-0047 Bugtraq: 685 Signature Description: An attacker can attempt to check if you are running sendmail version 8.8.4 or 8.8.3. Both of these versions of sendmail have a vulnerability which may allow intruders to access the vulnerable system as root. Signature ID: 2030 Sendmail.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 This rule will trigger when the packet has a pattern 'SLmail v3.1'. This attack will raise the CPU usage of the slsmtp.exe process to almost 100%.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2052 VIRUS OUTBOUND .com file attachment Threat Level: Information Signature Description: This event indicates that an outgoing email message possibly containing a virus has been detected. This rule generates an event when a filename extension commonly used by viruses is detected. Virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2057 VIRUS OUTBOUND .diz file attachment Threat Level: Information Signature Description: This event indicates that an outgoing email message possibly containing a virus has been detected. This rule generates an event when a filename extension commonly used by viruses is detected. This signature generate log for .diz file attachment. Signature ID: 2058 VIRUS OUTBOUND .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2066 SMTP Client [Novarg Worm] Threat Level: Information Signature Description: The Novarg worm (also known as Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32 computers. Once infected the worm installs a backdoor, allowing an attacker remote access to the system. It also uses its own SMTP engine to send out email messages.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2072 SMTP Client [Novarg Worm] Threat Level: Information Signature Description: This signature detects when the packet contains pattern 'file.scr'. The Novarg worm (also known as Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32 computers. Once infected the worm installs a backdoor, allowing an attacker remote access to the system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2098 VIRUS OUTBOUND bad file attachment Threat Level: Information Signature Description: This event may indicate a possible virus infection of a host on the protected network.Viruses may propogate in many different ways. Many arrive in the form of email attachments that an unsuspecting user may trigger by opening the attachment.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2204 Microsoft SSL PCT buffer overflow attempt Threat Level: Critical Industry ID: CVE-2003-0719 Bugtraq: 10116 Nessus: 12209 Signature Description: A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some cases Windows 2000 domain controllers, are vulnerable.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Sendmail is a Mail Transfer Agent, which is the program that moves mail from one machine to another. Sendmail implements a general internetwork mail routing facility, featuring aliasing and forwarding, automatic routing to network gateways, and flexible configuration. Sendmail 5.2 to 8.12.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Sendmail 8.12.9. Administrators are advised to update the product. This rule will triggers when attacker sending SEND RCPT TO formatted address field.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Sendmail is a Mail Transfer Agent, which is the program that moves mail from one machine to another. Sendmail implements a general internetwork mail routing facility, featuring aliasing and forwarding, automatic routing to network gateways, and flexible configuration. Sendmail 5.2 to 8.12.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 including, but not limited to, a remote web page, an email attachment, peer-to-peer file sharing, or network filesystems.WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages are vulnerable to this attack.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 MIME header, Exchange would cease to operate. Restarting the service and deleting the offending email would be required in order to regain normal functionality. In order to determine the offending email, restart Exchange. The hostile email would then appear at the front of the queue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2231 SMTP sendmail 5.5.5 MAIL FROM Parse Vulnerability Threat Level: Information Industry ID: CVE-1999-0203 CVE-1999-0163 Bugtraq: 2308 Nessus: 10258 Signature Description: Older versions of sendmail, i.e before 8.6.10 are fails to process malformed Message headers, leading to remote command execution as root. All the Verstions of sendmail based on 5.x. are vulnerable to this attack.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 information returned by the client. If the response by the client to Sendmail is longer than expected, the response overflows the buffer. This condition could allow a remote attacker to execute commands on the host system and gain privileged access to the system.Eric Allman Sendmail 8.6.9 is vulnerable to this attack.Upgrade to at least version 8.6.10 of sendmail.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2242 SMTP Content-Type overflow attempt vulnerability Threat Level: Severe Industry ID: CVE-2003-0113 Bugtraq: 7419 Signature Description: URLMON.DLL is a library used by Microsoft Internet Explorer. Microsoft Internet Explorer 5.01, 5.5 and 6.0 are vulnerable to buffer over flow. A remote attacker could exploit this vulnerability by sending a long argument to content-type field.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 2247 SMTP To command overflow vulnerability Threat Level: Information Industry ID: CVE-2004-0400 Bugtraq: 10291 Nessus: 14493,12538 Signature Description: This rule tries to detect an attempt to overflow the TO field in SMTP header. Exim version 4.32 is vulnerable to stack-based buffer overflow, caused by improper bounds checking in the SMTP header. If the headers_check_syntax setting is enabled in the exim.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: SMTP extended verbs are an addition of new functionality to the SMTP protocol. Microsoft Exchange uses one such extended verb "X-LINK2STATE" to communicate routing and other Exchange-specific information among Exchange servers in an Exchange environment. A buffer overflow error exists in SvrAppendReceivedChuck() function of the xlsasink.dll library of Microsoft Exchange Server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 application or process like, Greeting cards or Games etc.When the user opens or triggers, then the malicious program will sit in the users computer and tries to open a backdoor silently and give a way to an attacker to take full control of the user and can exploit the user. This rule tries to detect Backdoor NetSphere. A cracker may use it to steal your password or prevent you from working properly.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3030 Trojan GateCrasher detected Threat Level: Warning Industry ID: CVE-1999-0660 Nessus: 10093,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921 Signature Description: Backdoor Gate crasher 1.2 is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely manage files, alter user interface, shutdown the system, etc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 server running. It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL and BIND 9 are not vulnerable. The Lion worm spread via an application called pscan. randb then generates random class B networks probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via inetd, see /etc/inetd.conf), and a trojaned version of ssh gets placed on 33568/tcp.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 between the client, master, and zombie are not encrypted. It is much like previously known DDOS tools such as Trinoo. The version that is in wild uses TCP port 6723, and the password is "sex". Signature ID: 3043 DDoS Mstream Tool Login Threat Level: Severe Industry ID: CVE-2000-0138 Nessus: 10391,10501 Signature Description: The mstream program is a distributed denial of service tool based on the "stream.c" attack.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3049 Backdoor Netbus Pro Server Threat Level: Severe Industry ID: CVE-1999-0660 Nessus: 10152,10024,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921 Signature Description: This rule tries to detect Backdoor NetBus Pro.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 planted in compromised systems. Attacker does the remote control via a simple telnet connection (client) to the handler (20432/tcp). Handlers work as master to order agents to launch DoS. Shaft agents are capable of doing UDP, TCP SYN, ICMP packet flooding, or the combination of all three, based on the commands from Handlers. Communication between handlers and agents is achieved using the unreliable IP protocol UDP (18753/udp).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3062 VNC Through HTTP Traffic Detected Threat Level: Warning Nessus: 10758 Signature Description: VNC (Virtual Network Computing) software makes it possible to view and fully-interact with one computer from any other computer or mobile device anywhere on the Internet. VNC software is cross-platform, allowing remote control between different types of computer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 seeing applications on the task bar. This trojan affects only Windows 3.x and Windows 9X. This signature detects use of a hard coded password in the trojan.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3094 Back Orifice 2000 Backdoor detection Threat Level: Severe Signature Description: Back Orifice 2000 or 'BO2k' is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. Back Orifice 2000 is widely regarded as a backdoor program.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3099 Cow Backdoor for Windows 9x detection Threat Level: Warning Signature Description: 'Trojan cow' 1.0, also known as 'Backdoor.Cow' or 'Cow backdoor' is a Trojan that once installed on a system, permits unauthorized remote users to manage files, manage programs, alter the user interface, shutdown windows, etc. Trojan Cow typically operates from the server file "C:\WINDOWS\Syswindow.exe" over port 2001 via TCP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3105 HVL-RAT backdoor (BF Evolution) for Windows detection Threat Level: Warning Signature Description: The 'HVL-RAT' backdoor, which is also known as 'B.F.Evolution', allows remote attackers to take control of a user's America Online session. It also streams audio from the microphone on the infected system to the attacker and allows for reboot or shut down the infected machine.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 computer while attempting to remain undetected. Progenic is a backdoor Trojan for Microsoft Windows family of operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 11223, to allow the client system to connect.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3119 The Thing Backdoor detection Threat Level: Critical Signature Description: A backdoor is a program used for bypassing normal authentication, securing remote access to a computer while attempting to remain undetected. The Thing Backdoor version 1.5 is a backdoor program that affects Microsoft Windows family of Operating Systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 victim's computer. These actions include Shutting down or restarting the host system, retrieving saved and cached passwords, modifying the host system's registry, uploading, downloading, and deletion of files on the host system, intercepting keyboard activity or overtaking the keyboard input remotely and viewing the host system's current screen or webcam output.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 data, steal passwords and disable the machine and also to take complete control of the system. This signature detects Outbound Backdoor traffic. Signature ID: 3130 BACKDOOR Dagger_1.4.0_client_connect Threat Level: Information Signature Description: The Dagger backdoor is one of many backdoor programs that attackers can use to access victims computer without the knowledge or consent of the victim.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 resources the machine is connected to.This Trojan also has the ability to delete data, steal passwords and disable the machine.This rule detects for the attack pattern on the port number 3150. Signature ID: 3136 BACKDOOR DeepThroat 3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3141 BACKDOOR DonaldDick 1.53 Traffic Threat Level: Severe Signature Description: Donald Dick is a Trojan Horse allowing the attacker to access various resources on the victim host. This backdoor permits unauthorized users to remotely extract passwords, edit the registry, log keystrokes, etc. Donald Dick runs from the server file "c:\WINDOWS\SYSTEM\pnpmgr.pci" over the ports 23476 and 23477 via TCP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attacker can do the following move and close windows on your desktop, start an FTP server on your computer, log your keystrokes, including passwords you type, shut down the computer and execute programs. Signature ID: 3146 Backdoor Infector 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Attacker attempts to connect to a Telnet server using the phrase "satori". This is a known password for the Satori Linux rootkit. Signature ID: 3151 BACKDOOR MISC Solaris 2.5 attempt Threat Level: Information Signature Description: Trojan horses are malicious program which usually hacker used to bind it with some other application or process like, Greeting cards or Games etc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3156 BACKDOOR Matrix 2.0 Server access Threat Level: Severe Signature Description: This trojan affects windows operating systems.Matrix is a Trojan Horse offering the attacker the ability to upload files to, and download files from the victim host, retrieve passwords and start and stop an FTP server on your computer. This signature detects a MavericksMatrix backdoor running on your network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3161 BACKDOOR hack-a-tack Threat Level: Warning Signature Description: Backdoor Hack-a-tack is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely alter the user interface, run commands, log keystrokes, shutdown windows, etc. Hack-a-Tack typically runs over port 31789 via TCP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3166 BACKDOOR win-trin00 connection Threat Level: Severe Industry ID: CVE-2000-0138 CVE-1999-0660 Nessus: 10307,10024,10152,10151,10409,10053,10270,10501,10288,10350,10920,10921,10501 Signature Description: Trinoo daemons were originally found in binary form on a number of Solaris 2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3172 BACKDOOR RUX the Tick get system directory Threat Level: Severe Signature Description: This rule tries to detect Backdoor Rux-the-Tick. This is a Trojan that infects vulnerable Windows operating systems. Once installed, it opens a backdoor on the host machine and monitors Transmission Control Protocol (TCP) port 22222 for an incoming connection from the client.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3177 Microsoft IIS BACKDOOR sensepost.exe command shell Vulnerability Threat Level: Warning Industry ID: CVE-2000-0884 Bugtraq: 1806 Nessus: 11003 Signature Description: Microsoft IIS 4.0 and 5.0 are vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3184 BackDoor CONNECTION Threat Level: Critical Signature Description: The Connection backdoor is one of many backdoor programs that attackers can use to access your computer system without your knowledge or consent. With the Connection backdoor, an attacker can view the contents of the file system and display cached passwords. By default, this backdoor opens a TCP port on 60411.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 2600, to allow the client system to connect. Digital Rootbeer could allow a remote attacker to gain unauthorized access to the system. Aliases include BackDoor-PR and Backdoor.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 41626 to allow the client system to connect. Once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 4666, to allow the client system to connect and remotely extract ICQ login info, manage files, monitor processes, etc. Mneah could allow a remote attacker to gain unauthorized access to the system. Signature ID: 3202 Mosucker Backdoor detection Threat Level: Severe Signature Description: A backdoor is a program used for bypassing normal authentication, securing remote access to a computer while attempting to remain undetected.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3207 Net Raider BackDoor detection Threat Level: Severe Signature Description: A backdoor is a program used for bypassing normal authentication, securing remote access to a computer while attempting to remain undetected. Netraider is a backdoor Trojan affecting Microsoft Windows family of operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3212 New Silencer BackDoor detection Threat Level: Critical Signature Description: A backdoor is a program used for bypassing normal authentication, securing remote access to a computer while attempting to remain undetected.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 operating systems. The backdoor uses a client-server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. Oblivion Backdoor is a Trojan that permits unauthorized users to remotely manage and execute files, reconfigure server for auto-launch, etc. Oblivion typically runs from the server file "C:\WINDOWS\msload32.exe" that listens on TCP port 7826.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3226 Pest 1.0 BackDoor detection Threat Level: Severe Signature Description: A backdoor is a program used for bypassing normal authentication, securing remote access to a computer while attempting to remain undetected. This signature detects Pest 1.0 backdoor. Pest 1.0 is a backdoor Trojan affecting Microsoft Windows family of operating systems. Pest 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Intentionz Administrator (C.I.A.). Backdoor Cruel Intentionz Administrator (C.I.A) 1.1 is a family of backdoor programs that affects Microsoft Windows family of Operating System generated by the C.I.A. development kit. The backdoor toolkit is written for Visual Basic and can be compiled as a PE/COFF executable file. The backdoor could also be packed using the UPX tool.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3235 Backdoor Guptachar 2.0 Threat Level: Severe Signature Description: Guptachar is a remote administration tool which runs its own web server. It has various features like browsing files, uploading files, executing programs, logging keys, shutting down and restarting, etc., The web server can run on port 80 or 8081. Administrators are advised to close the port 8081 for external users.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files. Administrators are advised to close the port 54321 for external users. Signature ID: 3242 Backdoor SubSeven 2.1 Threat Level: Critical Nessus: 10409 Signature Description: Backdoor Subseven 2.1 is a backdoor program that affects Microsoft Windows Operating System.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 8811 to allow the client system to connect. Once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as Get system information, change the contents of the victim's clipboard, Read/Modify contents of the clipboard, listing files, and uploading or downloading files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 infected PC. This signature detects when an attacker responses to a client system. The successful exploitation of this issue can allow an attacker to remotely change passwords, transfer files. Drat runs on TCP port 48. Signature ID: 3252 Backdoor DTr 1.4 Threat Level: Severe Signature Description: DTr is backdoor Trojan that affects Microsoft Windows Operating Systems. It copies itself to the windows and System directories.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3257 Backdoor Executor Vulnerability Threat Level: Critical Signature Description: Executor is also known as BackDoor-LM, Backdoor.Excecutor.a, Backdoor.Excecutor.b, Backdoor.Executor.a, Executor and Executor Controller, is a backdoor Trojan affecting Microsoft Windows operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 files to operate on a target system. Gift installs the server on victim system and when Gift is activated, it sends a notification to the attacker and starts to listen on TCP port 10100 for specific commands coming from the Gift client. Backdoor.Gift provides the attacker with the ability to perform malicious actions like Download files, Fake a destroyed hard drive, Get cached passwords etc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3272 Backdoor Hydroleak Threat Level: Critical Signature Description: Backdoor Hydroleak is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3279 Backdoor Latinus 1.0 Threat Level: Critical Signature Description: Backdoor Latinus 1.0 is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files. It installs itself as MSLAT.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the victim's system and the remote attacker has control of the client. Latinus typically runs from the server file "c:\WINDOWS\msHtml.exe" over ports 11831, 21957 and 29559 via TCP. Signature ID: 3284 Backdoor Le guardien Threat Level: Critical Signature Description: Backdoor Le guardien is a Trojan that opens up a backdoor program. It is written in Visual Basic 6 affecting Microsoft Windows operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3289 Backdoor Private port 1.0 Threat Level: Critical Signature Description: This rule tries to detect Backdoor Private port 1.0. Backdoor Private port 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3294 Backdoor Qwertos RAT 0.2 Threat Level: Critical Signature Description: This rule tries to detect Backdoor Qwertos RAT 0.2. This is a Trojan that opens up a backdoor program. Qwertos, also known as Latinus, and it is affecting Microsoft Windows operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3299 Backdoor Remote hack 1.3 Threat Level: Critical Signature Description: This rule tries to detect Backdoor Remote Hack 1.2. This is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely shutdown windows, alter the user interface, control FTP access, etc. It affects Microsoft Windows operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3304 Backdoor Ripperz controller 1.1 Threat Level: Severe Signature Description: Ripperz is a backdoor Trojan that infects Windows operating systems. It has a client-server architecture. The client is used by the attacker to exploit a system and the server is installed on a victim machine. This rule tries to detect Backdoor Ripperz Controller 1.1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files. Tcc Trojan typically runs over ports 1833, 1834, 1835, 1836, and 1837 via TCP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3317 Backdoor Vagr Nocker 1.2 Threat Level: Critical Signature Description: This rule tries to detect Backdoor Vagr Nocker 1.2. Vagr Nocker consists of at least two components. The client component is used by attackers to send connection requests and control commands to a target machine. The server component, running on the target machine, executes control commands sent by attackers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3323 Xanadu Backdoor detection Threat Level: Critical Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plain text, etc. while attempting to remain undetected. Xanadu, also known as Backdoor.Xanadu and Backdoor.Xanadu.11, is a backdoor Trojan written in Visual Basic that affects Microsoft Windows family of operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3328 Backdoor YAT 3.01 Threat Level: Critical Signature Description: Backdoor YAT 3.01 is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files. YAT typically operates over port 37653 via TCP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3333 Backdoor Helios 3.1 Threat Level: Critical Signature Description: Backdoor Helios 3.1 is a backdoor program that affects Microsoft Windows Operating System. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 C:\Windows\System.ini and remove the entry for wincmp32.exe in the shell key under the [boot] section, restart your computer and then delete C:\Windows\wincmp32.exe file. Signature ID: 3355 Backdoor Backage Threat Level: Critical Signature Description: Backdoor Backage is a Trojan written in Visual Basic 6 affecting Microsoft Windows operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Backdoor.BasicHell.10, MultiDropper-CO, and TrojanDropper.Win32.Multibinder.141, is a trojan written in Visual Basic affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 60666, to allow the client system to connect.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 remote attacker has control of the client. The server attempts to open a port, typically TCP 1850, to allow the client system to connect. Black Angel could allow a remote attacker to gain unauthorized access to the system. Black Angel, also known as Black Angel.13 and Black Angel b5. Signature ID: 3365 Backdoor Breach 4.5 Threat Level: Severe Signature Description: Backdoor Breach 4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 4523, to allow the client system to connect. Celine could allow a remote attacker to gain unauthorized access to the system. Signature ID: 3372 Backdoor Cero b1 Threat Level: Severe Signature Description: Backdoor Cero, is a backdoor Trojan written in Visual Basic, affecting Microsoft Windows 95, 98, and Me.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Grisch client, an attacker could execute malicious actions including obtain system information, obtain passwords, record keystrokes, and view the clipboard.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3409 Backdoor One 0.1 (2) or Transcout Threat Level: Severe Signature Description: Backdoor One 0.1 is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files. Signature ID: 3410 Backdoor R0xr4t 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3416 Backdoor WinCrash 2.0 (2) Threat Level: Information Signature Description: Backdoor WinCrash 2.0 is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely manage files, alter the user interface, extract passwords, crash the system. Backdoor WinCrash has server and client parts.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 backdoor program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files. Olive typically runs over ports 23005 and 23006 via TCP. Signature ID: 3422 BackDoor Oxon Threat Level: Severe Signature Description: Oxon, also known as Backdoor.NetTrash.10.a, Backdoor.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 3427 Backdoor NOK NOK 5.0 Threat Level: Severe Signature Description: This rule tries to detect Backdoor NokNok 5.0. Backdoor NokNok 5.0 is a Trojan that opens up a backdoor program that, once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing files, and uploading or downloading files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 4007 Ascend MAX UDP Port 9 Vulnerability Threat Level: Warning Industry ID: CVE-1999-0060 Bugtraq: 714 Nessus: 10019 Signature Description: Lucent Ascend TNT Router 2.0 and Lucent Ascend TNT Router 1.0, Lucent Ascend Pipeline Router 1.0 to Lucent Ascend Pipeline Router 6.0 and Lucent Ascend MAX Router 1.0 to Lucent Ascend MAX Router 5.0 are vulnerable versions.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 server 1.2 and sends a large amount of ASCII 255 chars, the server will close itself and disconnect all the current users, causing a denial of service attack. Signature ID: 4028 MDaemon Webconfig crash Threat Level: Warning Industry ID: CVE-1999-0844 Bugtraq: 820 Nessus: 10138 Signature Description: The Mdaemon is a mail server for Windows from Alt-N technologies.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 4035 Oracle WebCache server multiple DoS vulnerabilities Threat Level: Warning Industry ID: CVE-2002-0102 CVE-2002-0102 Bugtraq: 3760,3762 Nessus: 10808 Signature Description: Oracle9iAS Web Cache is a web caching solution for Oracle 9iAS Application Server, providing quick retrieval of dynamic web content. Oracle9iAS Web Cache 2.0.0.0 to 2.0.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 'in.identd' service. The vulnerable 'in.identd' Ident server allows remote attackers to cause a denial of service via a long request, which causes the server to access a NULL pointer and crash. TinyIRC TinyIdentD 2.2 suffers from a buffer overflow condition. This allows remote attackers to execute arbitrary code on the target system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 'EXPN' command followed by 2041 characters to Seattle Labs Slmail 3.0.2421 or before will cause the SLMail service to stop functioning. This results in a denial of service condition. Signature ID: 4051 IPSEC IKE check Denial of Service vulnerability Threat Level: Warning Nessus: 10941 Signature Description: The remote IPSEC server may be negotiating bogus IKE requests.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 4061 Oracle9iAS Web Cache Buffer Overflow Threat Level: Warning Industry ID: CVE-2001-0836 CVE-2002-0102 Bugtraq: 3443,3449,3760 Nessus: 11069 Signature Description: A buffer overflow condition can be triggered in Oracle 9iAS Web Cache 2.0.0.1 to 2.0.0.2 NT (inclusive) by submitting a malicious URL. Unsuccessful overflow attempts can cause the Web Cache process to exit or hang causing a denial of service condition.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 specified could include /dev files and therefore this could lead to a number of damaging scenarios including memory and disk corruption, denial of service, etc. Signature ID: 4077 Routed append attempted Threat Level: Information Nessus: 11822 Signature Description: Routed is a daemon used to dynamically update network routing tables.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 agents. Communication between the client and the handler is conducted using tcp and the communication between the handler and the agent can be either tcp or icmp_echoreply. Stacheldraht encrypts most of its communication between clients, master servers and agents. Although Stacheldraht does encrypt the control channel between master and agent, it does not encrypt the ICMP heartbeat packets, which are sent from agent to master.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attacks, as well as providing an "on demand" root shell bound to a TCP port. TFN is currently being developed and tested on a large number of compromised Unix systems on the Internet, along with another distributed denial of service tool named "trinoo". This event detects when the ICMP contains icmptype is 0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the masters and daemons are systems that are remote to the client and have been infiltrated and compromised by installation of Trin00 master or daemon programs. Thus, the true source of the attack is nearly untraceable. The Trin00 master can make several requests to the Trin00 daemon. These include instructions to start/stop flooding a host with UDP packets and instruction to Change the UDP flood configuration of the daemon.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 4095 Mstream DDOS tool handler to client traffic detection Threat Level: Severe Industry ID: CVE-2000-0138 Nessus: 10501 Signature Description: Mstream is a distributed denial of service attack tool. Denial of service attacks can crash the target system. The mstream network, like trinoo and shaft, is made up of one or more handlers and a large set of agents.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 all three, based on the commands from Handlers. Communication between handlers and agents is achieved using the UDP protocol(18753/udp).This signature detects traffic from Shaft handler to a client.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 4104 Cisco Service Control Engine SSH credentials DOS Vulnerability Threat Level: Severe Industry ID: CVE-2008-0535 Bugtraq: 29316,29609 Signature Description: The Iconfident SSH is a Secure Shell (SSH) server that runs on VxWorks-based systems. The vulnerability in SSH server, Cisco Service Control Engine (SCE) before 3.1.6, and Icon Labs Iconfidant SSH before 2.3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 4111 Arkiea Backup nlserverd Remote DOS vulnerability Threat Level: Warning Industry ID: CVE-1999-0788 Bugtraq: 662 Signature Description: Knox Software Arkeia Backup application is a network backup solution. A vulnerability in the 'nlservd' executable, as packaged with Knox Software Arkeia 4.0 and 4.1, allows remote users to shut it down by sending it large amounts of input over the network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 human-oriented status and user information. The cfinger daemon is a daemon serving the Finger protocol. This signature detects attempt to know the version of Finger service. A Finger daemon should not advertise its version to the world. This will provide opportunity to attackers to focus their attacks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The finger service provides users with the information about remote system, user listings etc. An attacker can compromise a UNIX system by deploying a backdoor that allows the attacker to send cmd_rootsh to the finger service to gain root access rights. The rule looks for cmd_rootsh in finger connection, originating from external network. There is a chance that the installed finger daemon be a backdoor.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6001 Directory traversal vulnerability in GuildFTPd 0.9.7 Threat Level: Warning Industry ID: CVE-2001-0767 Bugtraq: 2789 Nessus: 10694 Signature Description: A security vulnerability in Version 0.9.7 of GuildFTP allows anyone with a valid FTP login to list or read arbitrary files and directories on the system. This rule triggers when connection to GuildFTP 0.9.7 is made from outside.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6007 FTPd revealing the existence of a user Threat Level: Information Nessus: 10082 Signature Description: It is possible to determine the existence of a user on some remote FTP servers by issuing the command CWD ~, like : CWD ~root. An attacker may use this to determine the existence of known to be vulnerable accounts (like guest) or to determine which system you are running.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6015 FTP (Serv-U) Directory Traversal Vulnerability Threat Level: Warning Industry ID: CVE-2001-0054 CVE-1999-0175 Bugtraq: 2052,2025 Nessus: 10565 Signature Description: FTP Serv-U is an internet FTP server from CatSoft. Authenticated users can gain access to the ftproot of the drive where Serv-U FTP has been installed.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6026 Proftpd mkdir buffer overflow Vulnerability Threat Level: Warning Industry ID: CVE-1999-0911 Bugtraq: 612 Nessus: 10189,10190 Signature Description: The Proftpd remote FTP server can be crashed by creating a huge directory structure with directory names not being longer than 255 chars. This is usually called the 'proftpd buffer overflow' even though it affects other FTP servers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: ProFTPd versions prior to and including 1.2pre1, as well as wuftpd versions up to 2.4.2academ[BETA-18] and 2.4.2 beta 18 vr9 are vulnerable to a buffer overflow that could result in remote root access. It is possible to make the remote FTP server crash by issuing this command : NLST aaaXXXX%u%[...]%u%u%u%%u%653300u%n where XXXX have ascii values 0xDC, 0x4F, 0x07 and 0x08.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6039 MS-IIS FTPd Status request DoS Vulnerability Threat Level: Critical Industry ID: CVE-2002-0073 Bugtraq: 4482 Nessus: 10934 Signature Description: It is possible to make the remote Microsoft IIS FTP server crash by sending a command like 'STAT *?AAAAA....AAAAA'. This vulnerability surfaces when a request is received for the FTP transfer status via the STAT command.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the same group as the ftp account and are not write protected, an intruder will be able to add files (such as a .rhosts file) or modify other files. This rule detects the presene of CWD command with etc as argument as this is the indication of accessing the etc directory from outside. Therefore having files write-enabled on your FTP server can cause problems such as allowing your site to become a pirated software drop point.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6058 FTP CWD command Buffer overflow Vulnerability Threat Level: Information Industry ID: CVE-2000-1035 Bugtraq: 1690 Nessus: 10084 Signature Description: Some of the FTP servers are prone to buffer overruns when handling data supplied to the CWD command. An FTP user who supplies excessive input to this command could potentially execute arbitrary code in the context of the server or cause a denial of service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerabilities that allow an attacker to perform activities like directory traversal and information disclosure etc. The vulnerability is not in glftpd itself, instead inside a suite of zip based plug-ins that come with the glftpd package by default, these plug-ins are widely used in installations of glftpd. By using a command like SITE NFO ../../etc/*, the attacker can view files in the folder, outside of ftp root.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6081 FTP STAT command directory traversal Vulnerability Threat Level: Information Signature Description: Some remote FTP servers like South River Technologies' Titan FTP Server are vulnerable to a flaw which allows users to access files which are outside the FTP server root by issuing a specially crafted STAT command.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: FTP Servers are vulnerable to buffer overflow attacks.The flaw is due to a lack of bounds checking on user-supplied data supplied to the FTP service.This vulnerability may allow an attacker to crash applications ,or potentially allow code execution.The Maximum size allowed is 512 characters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 may exploit this issue to corrupt a saved instruction pointer and in doing so may potentially influence execution flow of the affected service using the attacker-supplied instructions. Signature ID: 6105 WS_FTP Server resource consumption DOS Vulnerability Threat Level: Information Bugtraq: 9237 Signature Description: WS_FTP Server 4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6110 FTP LIST command integer overflow Vulnerability Threat Level: Information Industry ID: CVE-2003-0853 Bugtraq: 8875 Signature Description: An integer overflow in ls command in the fileutils or coreutils packages may allow local users to cause a denial of service or execute arbitrary code via a large -w value, which could be remotely be exploited via applications that use ls, such as wu-ftpd.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 command to trigger a format string flaw and potentially execute arbitrary code on some FTP servers.The issue exists due to lack of sufficient format checks against user-supplied data.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6121 FTP RMDIR command Buffer overflow Vulnerability Threat Level: Critical Bugtraq: 819 Signature Description: Some of the FTP servers are prone to buffer overruns when handling data supplied to the RMDIR command. An FTP user who supplies excessive input to this command could potentially execute arbitrary code in the context of the server or cause a denial of service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6128 FTP SITE ZIPCHK command Buffer overflow Vulnerabilty Threat Level: Information Industry ID: CVE-2000-0040 Bugtraq: 891 Signature Description: Some of the FTP servers are prone to buffer overruns when handling data supplied to the SITE ZIPCHK command. An FTP user who supplies excessive input to this command could potentially execute arbitrary code in the context of the server or cause a denial of service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Some of the FTP servers are prone to buffer overruns when handling data supplied to the USER command. An FTP user who supplies excessive input to this command could potentially execute arbitrary code in the context of the server or cause a denial of service.The issue exists due to lack of sufficient boundary checks performed on user-supplied data.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 private keys for that user are also at risk.This rule generates an event in case an attempt is made to transfer the file "authorized_keys" using FTP.
Signature ID: 6139 FTP format string Vulnerability Threat Level: Information Signature Description: Some of the FTP Servers are reported to be prone to a format string vulnerability.The issue exists due to lack of sufficient format checks against user-supplied data.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 server is made.The passwd file is typically located in "/etc/" directory and is used to hold the authentication information for system logins.This file needs to be readable by all system users. Signature ID: 6147 FTP Piss scan attempt Threat Level: Warning Signature Description: This event is generated when Piss scan attempt to login to FTP Servers with "cklaus" as password.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 6154 FTP REST command Vulnerability Threat Level: Critical Signature Description: The REST command is used to continue an interrupted session and its integer argument represents the position in the file where transfer should begin. A vulnerability has been discovered in the HP-UX 11 ftpd daemon which can be triggered using the FTP REST command.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. If the internal host answers to an ICMP time stamp request, it allows an attacker to know the date which is set on your machine. This may help the attacker to bypass any time based authentication protocol checks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 portions. Remote attackers can exploit this vulnerability to execute arbitrary code, or to create a denial of service condition on an infected system. Linux.Slapper.Worm and its variants exploit this vulnerability for attacks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Computer Associates BrightStor ARCserve Backup is a cross-platform backup and recovery application. The UniversalAgent module for UNIX listens on TCP/UDP port 6051 and is used to perform backups on nodes across the network and is capable of backing up system settings as well as files. This agent service requires either administrative credentials or a node-specific password.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the network. Attacker tries to login to a server using the username 4Dgifts via Telnet. This is a default account on some SGI based machines. The password may also be 4Dgifts or it may not have a password assigned.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 a virtual connection between server and client. There is a known vulnerability in /bin/login in telnetd on Sun Solaris systems. A buffer overflow condition is present in /bin/login used by telnetd that may present an attacker with the opportunity to execute code of their choice after a successful exploit.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 username root. If this is followed by a login failure event, the root login did not succeed. However, if no failure message is observed, this may indicate that the root login succeeded. Signature ID: 9001 LPRng Format String Vulnerability Threat Level: Warning Industry ID: CVE-2000-0917 Bugtraq: 1712 Nessus: 10522 Signature Description: LPRng is an implementation of the Berkeley lpr print spooling utility.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 9007 OpenSSH 2.3.1 authentication bypass vulnerability Threat Level: Warning Bugtraq: 2356 Nessus: 10608 Signature Description: OpenSSH 2.3.1. version is vulnerable to a flaw which allows an attacker who can obtain the public key of a valid SSH user to log into this host without any authentication.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 9013 AOL Instant Messenger 'goaway' Message Stack overflow Vulnerability Threat Level: Severe Industry ID: CVE-2004-0636 Bugtraq: 10889 Signature Description: AOL Instant Messenger (AIM) is an instant messaging system distributed by AOL Time Warner. A remotely exploitable stack based overflow vulnerability exists in AIM which allow attackers to execute arbitrary code.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 9030 Knox Arkeia Network Backup Client Type 84 Request Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2005-0491 Bugtraq: 12594 Signature Description: Knox Arkeia Network Backup Client is an application designed to provide data protection for Microsoft Windows and Unix-based operating systems. A stack based buffer overflow vulnerability exists in the binary arkeiad.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 9034 Computer Associates License Server/Client GETCONFIG Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2005-0581 Bugtraq: 12705 Signature Description: The Computer Associates License Client/Server applications provide a method for CA products to register their licenses on the network. A buffer overflow vulnerability exists in Computer Associates License Server/Client versions 1.53 to 1.61.8.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 9039 CVS Double Free Heap Corruption Vulnerability Threat Level: Warning Industry ID: CVE-2003-0015 Bugtraq: 6650 Signature Description: CVS (Concurrent Versions System) is an open-source source code management and distribution system available for most Linux and Unix-based operating systems. CVS versions 1.11.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 9050 Oracle Application Server Web Cache Heap Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2004-0385 Bugtraq: 9868 Signature Description: The Oracle Web Cache is useful for caching static and dynamic content generated from Oracle Application web servers thus reducing the bandwidth usage, server load. The Oracle9i Application Server Web Cache versions 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Ethereal is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. A remote buffer-overflow vulnerability reportedly affects Ethereal 0.10.9 and earlier because it fails to securely copy network-derived data into sensitive process buffers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 service which may include domain-wide administrative rights. Upgrade to the latest version of software as listed in VERITAS Software Support Document ID: 273419. Signature ID: 9067 Volition Freespace 2 Game Client Remote Buffer Overflow Threat Level: Information Bugtraq: 9785 Signature Description: FreeSpace 2 is a 1999 space combat simulation computer game developed by Volition, Inc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 9071 EMule DecodeBase16 Function Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2004-1892 Bugtraq: 10039 Signature Description: EMule is a peer-to-peer file sharing application for Microsoft Windows. eMule version 0.42d is vulnerable to a stack-based buffer overflow, caused by a vulnerability in the DecodeBase16 function.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 9077 Ssh CRC32 overflow vulnerability Threat Level: Information Industry ID: CVE-2001-0144 CVE-2001-0144 CVE-2002-1024 Bugtraq: 2347,5114 Nessus: 10972,10607,11381,11382 Signature Description: An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10006 Cobalt Web Administration Server Detection Threat Level: Information Nessus: 10793 Signature Description: The Cobalt Administration web server enables attackers to configure your Cobalt server if they gain access to a valid authentication username and password. Access to this server from external network is suspecious.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 may attempting to scan the system for Denial of Service vulnerability. UDP packets are flooded with ECHO or CHARGEN by connecting a host ECHO service to a local or remote CHARGEN service. Signature ID: 10014 Ident version request Threat Level: Information Signature Description: Auth/Ident servers which will run on the local user's machine opens port 113 and listen for incoming connections and queries from remote machines.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10022 TFTP GET shadow Threat Level: Information Signature Description: The "shadow" file normally stores encrypted password hashes and users names for Unix based systems. If this file is being transferred over the network using TFTP it is normally indicates that system is compromised by remote user and is transferring sensitive files to the attacker system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. In this case PCT should work for LDAPS (port 636). This includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 The effects of this vulnerability vary, depending on the exact versions of Windows NT and CiscoSecure ACS on the server. Administrators are advised to close the port 2002 for external users.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 gain more knowledge. This will help him to plan attacking strategy. This rule detects any activty with an active Nessus Daemon running in internal network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10140 Access to vulnerable WorldClient CGI for MDaemon Server Threat Level: Information Industry ID: CVE-2002-1741 Bugtraq: 4687 Nessus: 10745 Signature Description: WorldClient is a web interface packaged with MDaemon, an email server for Microsoft Windows. WorldClient.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10155 Delta UPS Daemon Detection Threat Level: Information Nessus: 10876 Signature Description: The Delta UPS Daemon shows sensitive information, including OS type and version, internal network addresses, internal numbers used for pager and encrypted password etc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10175 RADIUS Digest Calculation Buffer Overflow Vulnerability Threat Level: Information Industry ID: CVE-2001-1376 Bugtraq: 3530 Signature Description: Remote Authentication Dial In User Service(RADIUS) is a networking protocol that provides
centralized access, authorization and accounting management for computers to connect and use a network service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 with Microsoft SQL Server 6.5 and higher. There exists a vulnerability, which can be exploited by a remote attacker by sending 200 NULL bytes. This results in crashing the MSDTC service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Blaster worm propagates via the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. The worm opens a command shell on victim host on TCP port 4444. It issues the commands "tftp GET msblast.exe" and "start msblast.exe" over thecommand shell. The command shell is closed once the attacking host disconnects.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10216 TELNET access from external network Threat Level: Information Industry ID: CVE-1999-0619 Nessus: 10280 Signature Description: This particular event occurs when a remote user who does not belong to the internal network successfully connects to a telnet server. This may be a legitimate connection by an authorized user or a undesired connection by an unauthorized user.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Macromedia Flash Media Server 2 software offers the unique combination of traditional streaming media capabilities and a flexible development environment for creating and delivering innovative,interactive media applications to the broadest possible audience.Flash media server uses TCP port 1111 for remote server administration. An administrator can connect on this port and perform different tasks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10228 Multiple Vendor Telnet Client LINEMODE SLC Sub-Option Remote Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2005-0469 Bugtraq: 12918 Signature Description: Multiple Telnet client implementations are vulnerable to a flaw which may allow arbitrary code to be executed on the connected client.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 computer. The Veritas Backup Exec package provides both an RPC service, and DCOM request handler through beserver.exe. The Backup Exec Server service registers an RPC interface on a TCP endpoint with ID 93841fd0-16ce11ce-850d-02608c44967b on port 6106. An access validation vulnerability exists in Veritas Backup Exec Server for Windows.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: MySQL MaxDB is a heavy-duty, SAP-certified open source database. A web based application interface Webtool which acts as a HTTP server is provided with MaxDB. The If header is a part of WEBDAV and it's purpose is to describe a series of state lists. If the state of the resource to which the header is applied does not match any of the specified state lists then the request MUST fail.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10239 HP OpenView Radia Notify Daemon Long File Extension Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2005-1826 Bugtraq: 13835 Signature Description: HP OpenView Radia is a desktop management software designed for Windows and Unix based Operating systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 arbitrary code on the system with SYSTEM level privileges. Administrators are advised to close the port 4105 for untrusted clients. Signature ID: 10243 Apple QuickTime Player QuickTime.qts Heap Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2004-0431 Bugtraq: 10257 Signature Description: Apple's QuickTime Player is a player that allow users to view local and remote audio/video content.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Novell ZENWorks software suite is designed for managing desktops, laptops, servers, handheld devices, etc. in a large enterprise. A stack based buffer overflow vulnerability exists in authentication protocol implementation of Novell ZENworks Managemt Agent ZenRem32.exe.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 10509 HTTP ActiveState Perl directory traversal Vulnerability Threat Level: Information Nessus: 11007 Signature Description: This rule will trigger, when an attempt is made to compromise a host running a Web server or a vulnerable application on a web server. Issue present in performing stringent checks when validating the credentials of a client host connecting to the services offered on a host server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the
existance of (potentially) illegal files/software on an ftp server.
Attack Scenarios:
As part of an attempt to store elite warez on an ftp server, an
attacker named the file "1mb" to indicate it's size. This file is
likely part of an archive that represents a larger, most likely
illegal copy of media.
Corrective Action:
Inspect the ftp server for a file named 1mb and check its legitimacy .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 11003 Malformed Imap Request Threat Level: Critical Signature Description: All IMAP requests have some command to be sent to the server with some argument. The absence of any command in the request packet is suspicious as it does not serve any purpose. This rule hits when system detects a Imap packet with no command in it. Signature ID: 11004 No AUTHENTICATION type specified in the request line.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 11008 Anonymous login to IMAP access Vulnerability Threat Level: Severe Signature Description: IMAP stands for Internet Messaging Access Protocol. It is a method of accessing electronic mail or bulletin board messages that are kept on a mail server. This signature detects when an attacker access to IMAP using login name 'anonymous'.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 11014 IMAP auth overflow attempt Threat Level: Severe Industry ID: CVE-1999-0005 Bugtraq: 8861,130 Signature Description: A remote user sends an overly long string to an IMAP server via the command AUTH. This may indicate an attempt to exploit a buffer overflow condition. Successful attempt may cause IMAP Service to crash or the attacker gains access on the affected server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access. Signature ID: 11019 IMAP login brute force attempt Threat Level: Warning Signature Description: An attempt is made to gain access to an IMAP server using brute force methods. When an attacker is attempting to guess username and password combinations.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 supplying a long, well-crafted string as the second argument to the LSUB command, it is possible to execute code on the machine. Executing the LSUB command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 11028 IMAP append literal overflow attempt Threat Level: Severe Industry ID: CVE-2004-1211 Bugtraq: 11775 Signature Description: Imapd daemon is reported susceptible to multiple stack-based buffer-overflow vulnerabilities.These issues are due to the application's failure to properly bounds-check user-supplied input before copying it to a finite-sized memory buffer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 11032 IMAP delete command buffer overflow vulnerability Threat Level: Severe Industry ID: CVE-2004-1520 Bugtraq: 11675 Signature Description: IMAP DELETE command permanently removes the mailbox with the given name. It takes argument as the Mailbox name that needs to be deleted from the Server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: IMAP daemon is reported to be susceptible to a remote format string vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input data before using it as the format specifier in a formatted printing function.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 command continuation request comes from the server, client sends Literal value (no. of octets) - 2 amount of data to the server. Since the arguments of SUBSCRIBE command will never be that large, this can be considered as an attack.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Server 2003, Microsoft Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use PCT (MS04-011) Signature ID: 11045 IMAP Ipswitch EXAMINE Argument Buffer Overflow vulnerability Threat Level: Severe Industry ID: CVE-2005-0707 Bugtraq: 12780 Signature Description: Ipswitch Collaboration Suite (ICS) is a comprehensive communication and collaboration solution for Microsoft Windows.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the DCE/RPC service. These functions provide the ability to manage user accounts and network resources locally and remotely. Some network management functions generate a debug log file in the "debug" sub directory located in the Windows directory. Some RPC functions will accept a long string as a parameter and attempt to write it to the debug log file.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12002 Access to Vulnerable X Server Threat Level: Warning Industry ID: CVE-1999-0526 Nessus: 10407 Signature Description: X11 is a client-server protocol, which can be used to display graphical applications running on a remote host. Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 as a proxy. A Gopher server may support proxy connections to FTP servers. This allows an user to assume the source IP of the Gopher server when connecting to an FTP server. This may be used to bypass FTP access restrictions based on source IP's.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 network and inviting computers to make use of its services. By sending a specially-malformed NOTIFY directive as a unicast or multicast NOTIFY message, an attacker can overflow a buffer in the UPnP service to gain system level privileges on the affected system or systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12023 Oracle tnslsnr Listner Program Vulnerable via SET TRC_FILE or SET LOG_FILE Threat Level: Warning Industry ID: CVE-2000-0818 Bugtraq: 1853 Signature Description: Oracle Enterprise Server ships with a server program called listener (tnslsnr) used for remote database access.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 communication between its clients and other CA Unicenter servers. This rule detects if any CA Unicenter's File Transfer service accepts connections from external network, since such access is suspicious and may lead to exploitation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12042 Possible LDAP Exchange Overflow Attempt Threat Level: Information Industry ID: CVE-1999-0385 Bugtraq: 0503 Signature Description: A buffer overflow exploit against Microsoft Exchange's LDAP (Lightweight Directory Access Protocol) server allows read access to the Exchange server directory by using an LDAP client.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 A, B, and C of the worm). The command shell is used to connect back to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 database if the password has not been manually changed.This event is triggered when an attempt is made to access a host running Microsoft SQL Server or utilizing MSDE via the default "sa" account. This event just reports the activity as suspicious.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12059 MS-SQL sa brute force failed login Threat Level: Information Industry ID: CVE-2000-1209 Bugtraq: 4797 Nessus: 10673 Signature Description: Microsoft MSDE and SQL Server 2000 Desktop Engine are configured by default with a null administrative password. Remote attackers may exploit this flaw to gain administrative access to the database if the password has not been manually changed.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12065 MS-SQL sp_start_job program execution Threat Level: Information Signature Description: This event is generated when an unauthorized user attempts to execute commands or programs on SQL database Server that may result in a loss of confidentiality,Availability and Integrity of data stored on the database.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the application to fail or arbitrary code to be executed on the target system depending on the data entered into the buffer. XPs are DLL files that perform high level functions in SQL Server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the application to fail or arbitrary code to be executed on the target system depending on the data entered into the buffer. XPs are DLL files that perform high level functions in SQL Server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 is a suspicious activity.An SQL database server that may result in a serious compromise of the data stored on that system. Signature ID: 12096 Buffer Overflow while parsing IRC traffic in Ettercap Threat Level: Warning Signature Description: This rule triggers when an attempt is made to exploit a buffer overflow vulnerability in Ettercap version 0.6.2 and prior.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 logging NFS activity. Intruders who exploit the vulnerability are able to gain administrative access to the vulnerable NFS file server. Affected versions include Caldera OpenLinux Standard 1.2, RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12106 Access to VqServer Admin Service Threat Level: Information Industry ID: CVE-2000-0766 Bugtraq: 1610 Signature Description: VqServer is a personal web server from VqSoft. Apart from a web server on port 80 (and 8080), it also runs an administrative interface on port 9090. This interface is used to manage the server. Access to this port from external network can be treated as a security risk.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12111 VERITAS NetBackup Java User Interface Format String Vulnerability Threat Level: Severe Industry ID: CVE-2005-2715 Bugtraq: 15079 Signature Description: VERITAS NetBackup is a backup and recovery software solution. One of the components of the Java Administration console for the NetBackup software, bpjava-msvc is used for authentication purposes.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12115 BomberClone Error Messages Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2006-0460 Bugtraq: 16697 Signature Description: BomberClone is a multi-player network game, it is free Bomberman-like game for Linux and Windows. It features powerups that give you more strength, make you walk faster through the level, or let you drop more bombs. BomberClone versions prior to 0.11.6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12119 Yahoo Messenger Multiple Vulnerabilities Threat Level: Warning Industry ID: CVE-2002-0031 CVE-2002-0032 Bugtraq: 4837,4838 Signature Description: Buffer overflows in Yahoo Messenger 5,0,0,1064 and earlier allows remote attackers to execute arbitrary code via a ymsgr URI with long arguments to call, sendim, getimv, chat, addview, or addfriend.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 buffer overflow vulnerability exists in Novell eDirectory version 8.8 iMonitor version 2.4. A remote attacker can exploit this vulnerability via a specially-crafted HTTP request. Successful exploitation of this vulnerability may cause execution of arbitrary code or cause the system to crash. Administrators are advised to close the external port 8028 for external users.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12128 Session Intiation Protocol Request with Large Expires field value Threat Level: Warning Signature Description: Session Intiation Protocol (SIP) is an ASCII-based application layer protocol used to establish, maintain, and terminate calls between two or more endpoints. SIP uses requests and responses to establish communication among various components of the network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12134 Session Description Protocol (SDP) Version Integer Overflow Threat Level: Warning Signature Description: Session Description Protocol (SDP) is intended for describing multimedia sessions for the purposes of session announcement, session invitation, and other forms of multimedia session initiation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12139 Session Directory Protocol (SDP) Request with a large string in Session Name field Threat Level: Warning Signature Description: Session Directory Protocol (SDP) is intended for describing multimedia sessions for the purposes of session announcement, session invitation, and other forms of multimedia session initiation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 specially-crafted SIP request with an invalid value in CSeq field could potentially consume SIP proxy resources resulting in a DoS. Signature ID: 12145 BakBone NetVault Client Name Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2005-1009 Bugtraq: 12967 Signature Description: BakBone's NetVault is a backup and restore software for Windows and Linux Servers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 parameter using the above mentioned procedure. Administrators are advised to install the updates downloadable from the Oracle website. Signature ID: 12201 ICMP Address Mask Reply Threat Level: Warning Signature Description: ICMP Address Mask Reply. Internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12206 ICMP Datagram Conversion Error Threat Level: Information Signature Description: This event is generated when an ICMP Datagram Conversion Error message is found in the network traffic. ICMP Datagram Conversion Error messages were used by network layer converters to sent back information regarding invalid datagram conversions between IPv4 and IPv6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 and source/destination port. Excessive generation of this event may be an indication of improperly configured hosts/routing equipment or a routing problem. Signature ID: 12212 ICMP Destination Unreachable Host Unreachable Threat Level: Information Signature Description: This event is generated when an ICMP Destination Unreachable Host Unreachable message is found in the network traffic.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12217 ICMP Destination Unreachable Precedence Cutoff in effect Threat Level: Information Signature Description: This event is generated when an ICMP Destination Unreachable Precedence Cutoff in effect message is found in the network traffic. This rule generates informational events about the network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 message are normal, but excessive generation of this event may be an indication of improperly configured hosts/routing equipment or it may be due to some attacker sending a large number of specially-crafted fragmented packets to cause denial of service. This message is also used some times for operating system fingerprinting.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 traffic. The Information Request/Reply pair was intended to support self-configuring systems such as diskless workstations, to allow them to discover their IP network prefixes at boot time. However, these messages are now obsolete. The RARP and BOOTP protocols provide better mechanisms for a host to discover its own IP address. ICMP Information Request/reply datagram should be never present in normal network traffic.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12234 ICMP Mobile Registration Reply Threat Level: Information Signature Description: This rule hits when a network host generates an ICMP Mobile Registration Reply. RFC3344 (IP Mobility Support for IPv4) defined newer version of ICMP Mobile Registration Reply using UDP/TCP and ICMP version was never in use. ICMP Mobile Registration reply datagrams should not be present in normal networking traffic.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 ICMP Parameter Problem Bad Length datagram indicates that the datagram was truncated before it reached its final destination. This could be an indication of routing problems on the network, or malfunctioning routing hardware.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 datagram. Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 2 datagrams are generated when a received datagram fails the decompression check for a given SPI (Security Parameters Index).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12250 ICMP Redirect with undefined ICMP code Threat Level: Information Signature Description: This rule gets hit when an ICMP Redirect message with an undefined ICMP code is detected. ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12255 ICMP Source Quench message with undefined ICMP code Threat Level: Information Signature Description: This rule gets hit when an ICMP "Source Quench" message is detected that has a non-zero ICMP code. An ICMP "Source Quench" message is issued by a network device that cannot handle the current volume of traffic. The ICMP code value for this message should be 0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12259 Traceroute tool Threat Level: Information Signature Description: Traceroute can be used as a reconnaissance tool as it can reveal information about the layout of a network. Traceroute works by sending an ICMP Echo Request packet to a destination host with a TTL value of 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12265 Undefined ICMP Type 7 datagram in network traffic Threat Level: Information Industry ID: CVE-cve 1999-0454 Signature Description: This rule gets hit when an ICMP message with a undefined Type 7 is detected on the network. ICMP Type 7 is not defined for use and is not expected network activity. Host sending the undefined ICMP datagram should be investigated for malicious activity.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 source address will be the recipient of the ICMP message. A similar situation may occur when a large portscan is occurring and an attempt is made to mask the true source of the scan by tossing in spoofed source addresses. Signature ID: 12270 ICMP ping from host running ISS Pinger Threat Level: Information Signature Description: ISS Pinger is a networking monitoring tool.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12276 ICMP PING from speedera.net sites Threat Level: Warning Signature Description: After visiting certain speedera.net sites, several pings will be received by the host. These pings are sent so that speedera can find the closest cache to the host. This rule is intended to distinguish the usually benevolent speedera pings from normal, possibly malevolent pings.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12282 Webtrends Scanner Threat Level: Information Signature Description: Webtrends is a vulnerability scanner. This rule hits when Webtrends Security Scanner generates an ICMP echo request message. . A remote attacker can scan a large range of hosts using ICMP echo requests to determine what hosts are operational on the network.This could be a reconnaissance scan against target network using Webtrends application.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices. ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 10972,10607,11381,11382 Signature Description: A remote integer overflow vulnerability exists in several implementations of SSH protocol version 1.5. The vulnerability is present in detect_attack() function of deattack.c file which is used to detect exploitation of CRC32 weaknesses in SSH 1 protocol. The attack detection function (detect_attack, located in deattack.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: This rule detects any attempt that is made to probe for information on a host running Arkeia Client Backup server. By default, Arkeia Client Backup servers do not require any authentication for informational requests. Arkeia Network Backup Client installs with a default password. The root account has a password of 'root' which is publicly known and documented.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: CVS (Concurrent Versions System) is an open-source source code management and distribution system available for most Linux and Unix-based operating systems. The CVS server component contains a "doublefree" vulnerability that can be triggered by a set of specially crafted directory change requests.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 response.The source code of software in the repository may be compromised by a succesful attacker who could choose to insert malicious code of his own making.For CVS daemons running under changed root conditions (chroot), the rest of the operating system files may be protected but the entire CVS directory structure and contents is vulnerable.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the affected system. Successful exploitation of this issue will allow a malicious user to execute arbitrary commands on the affected system through /plugins/framework/script/tree.xms on WriteToFile pattern.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Point-to-Point Tunneling Protocol (PPTP) is an industry standard protocol (defined in RFC 2637) that enables users to create and use virtual private networks (VPNs). Through VPN technologies such as PPTP, users can create tunnels to a remote network, even though the data may transit insecure networks like the Internet.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 value that will be appropriately aligned to give us a sufficient amount of bytes to overwrite the stack. This can be exploited to execute arbitrary code by a remote attacker.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 12336 Rsyncd module list access Threat Level: Information Signature Description: Rsync is an open source utility that provides fast incremental file transfer. It has the ability to operate as either a client or server when transferring data over a network. When ran with --daemon option rsync becomes a rsync server listening on TCP port 873. The rsync server configuration file rsyncd.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 14001 POP2 Service is Running Threat Level: Warning Signature Description: POP2 is outdated protocol to download mails. As it is not being used, there may be many vulnerabilities present in it. In the past, there had been many vulnerabilities reported in POP2. This rule triggers if connection is established on port 109 indiacating POP2 service is running.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 14007 POP3 CAPA Command overflow attempt Threat Level: Information Signature Description: This rule hits when an attempt is made to exploit a buffer overflow condition in the Post Office Protocol (POP) using the command CAPA. Possible remote execution of arbitrary code leading to a remote root compromise.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 saved instruction pointer and in doing so may potentially influence execution flow of the affected service into attackersupplied instructions. Signature ID: 14014 AUTH command buffer overflow vulnerability Threat Level: Information Signature Description: A remotely exploitable buffer-overflow vulnerability affects POP daemon.The problem lies in the code that handles the 'AUTH' command available to logged-in users.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 server and issuing the USER command with malicious format string specifiers. This may result in the corruption memory. Signature ID: 14019 USER command buffer overflow vulnerability Threat Level: Critical Industry ID: CVE-1999-0494 Bugtraq: 789 Nessus: 10311 Signature Description: POP stands for Post Office Protocol. This is used to describe how e-mail clients interact with mail servers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 could take complete control of an affected system.All programs that use SSL could be affected. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Post Office Protocol version 3 [POP3] is very widely used protocol for email communication. RFC 2449 specifies the command line limit of Pop3 command as 255 octets, including the terminating CRLF. IPS parse the traffic send on the port assigned to POP3 and parse and buffer each command line for better detection capability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 15016 Pragma Systems Telnet Server 2000 rexec port password overflow attempt Threat Level: Information Industry ID: CVE-2000-0708 Bugtraq: 1605 Signature Description: Pragma Systems offers a windows remote access server called TelnetServer 2000. TelnetServer crashes if more than 1000 NULL characters are sent in password field to its rexec port, 512.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 15023 Rsh root login attempt by using froot option Threat Level: Information Industry ID: CVE-1999-0113 Bugtraq: 458 Nessus: 10161 Signature Description: This rule detects remote login attempt by rsh when -froot option is specified. rsh connects to the specified hostname and executes the specified command. If command is omitted from specifying, rsh logs in on the remote host using rlogin.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16006 Automountd service portmap request vulnerability Threat Level: Warning Industry ID: CVE-1999-0704 Bugtraq: 614 Nessus: 10212 Signature Description: Automounter daemon(amd) is a daemon that automatically mounts filesystems whenever a file or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have become quiescent.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16012 Llockmgr service vulnerability Threat Level: Information Nessus: 10218 Signature Description: The llockmgr is part of the file locking manager system for NFS. It generates local file locking operations in response to requests from client lock managers. The llockmgr service registers with the RPC portmapper as program 100020. This service may become a security threat.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 with the RPC portmapper as program 100014. rje mapper is vulnerable to a security threat in the future. Administrators are advised to disable the rje mapper service if it is not needed.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 administrators are advised to disabled the showfhd service. This signature specifically detects when an attacker send a request by using UDP service. Signature ID: 16027 Snmp service vulnerability Threat Level: Information Nessus: 10233 Signature Description: Simple Network Management Protocol is a remote management protocols.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Sunlink Mapper service is a part of the SunLink X.400 implementation for connecting normal SMTP-MIME mail systems to X.400 networks. The Sunlink Mapper process registers itself with the RPC portmapper as program 100033. Sunlink Mapper is vulnerable to a security threat in the future. This signature generates an event, when an attacker try to identify whether Sunlink Mapper service is running.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16038 Ypupdated service vulnerability Threat Level: Warning Industry ID: CVE-1999-0208 Bugtraq: 1749 Nessus: 10243 Signature Description: Ypupdated is a daemon that updates information in the Network Information Service (NIS) databases. It is activated at system startup when the NIS_MASTER_SERVER variable is set to 1 in /etc/rc.config.d/namesvrs file on the NIS master server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 used on NFS clients to do UID or GID mapping. The ugidd RPC interface contains a vulnerability that forces a system to make user names secretly. A remote attacker maps a given uid or gid to a user or group name. This successful exploitation of this issue will allow an attacker to obtain a complete list of user names on the victim system. The names should be used for subsequent brute force login attacks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 including password data) services are some times running on non reserved ports. An attacker may probe to identify whether these services are running on non reserved ports. If these services running on non-reserved ports are most likely vulnerable to port hijacking. Then an attacker intercept or supply data from or to client programs. This signature specifically detects when an attacker send request by using udp service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16059 Solaris automountd vulnerability Threat Level: Information Bugtraq: 235 Signature Description: Automounter daemon(amd) is a daemon that automatically mounts filesystems whenever a file or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have become quiescent.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16066 MOUNTD - Linux/Solaris file existence vulnerability Threat Level: Information Industry ID: CVE-1999-1225 Bugtraq: 95 Signature Description: Mount is to make a group of files in a file system structure accessible to a user or user
group. Linux and solaris operating systems allow remote user to determine the existence of files on the remote server via rpc.mountd.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16071 Nisd Reserved Vulnerability Threat Level: Information Signature Description: The rpc.nisd daemon is a Remote Procedure Call service that implements the NIS+ service. This daemon must be running on all servers that serve a portion of the NIS+ namespace. rpc.nisd is usually started from a system startup script. Nisd daemon is probably vulnerable to port hijacking and should be moved to reserved port.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Cachefsd RPC service is used by Solaris hosts to cache requests for remote file systems mounted by the Network File System (NFS). Cachefsd in Solaris 2.6, 7, and 8 are vulnerable to stack based buffer overflow via a long mount argument. This vulnerability is due to insufficient validation of user supplied data.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 all programs that are using it. The remote attacker could remotely unmount a shared resource to deny a resource to the local network or a probe to discover possible routes of entry into a system. This signature detects when an attacker send specially-crafted pattern to TCP RPC. Signature ID: 16088 RPC mountd UDP unmount request Vulnerability Threat Level: Warning Signature Description: Unmount is a reverse operation of mount.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16093 RPC ypserv maplist request UDP Threat Level: Information Industry ID: CVE-2002-1232 CVE-2000-1043 CVE-2000-1042 Bugtraq: 6016,5914 Signature Description: The ypserv daemon is a component of the Network information Service(NIS is an RPC-based service designed to allow a number of UNIX-based machines to share a common set of configuration files.).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16097 RPC rpc.xfsmd xfs_export attempt UDP Threat Level: Information Industry ID: CVE-2002-0359 Bugtraq: 5072,5075 Signature Description: Xfsmd service is installed and started by default on all versions of the IRIX operating system starting from version 6.2 to 6.5.16 (after full OS installation). There are multiple vulnerabilities in the xfsmd service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 systems. This vulnerability is due to insufficient validation of user supplied data via on TCP RPC. A successful exploitation of this vulnerability allow an attacker to execute remote code on the vulnerable system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 some holes in RPC services like yppupdated. keyserv service is listen on both tcp and udp ports. This signature generates an event when an attacker try to identify whether keyserv service is running. Administrators are advised to disable the keyserv service if it is not needed. This signature specifically detects when an attacker send request by using tcp service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16116 Rje mapper service Threat Level: Information Nessus: 10225 Signature Description: The rje_mapper is part of many Remote Job Entry (RJE) implementations. RJE is a system for batch-oriented transfers between a host and downstream devices, such as printers. The rje_mapper service registers with the RPC portmapper as program 100014. rje mapper is vulnerable to a security threat in the future.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 operation and read any file within Sunview. The selection service Remote procedure call(RPC) program could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to read any file readable by the user. This signature detects when an attacker send specially-crafted pattern on TCP RPC.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16126 Statmon service vulnerability Threat Level: Information Nessus: 10236 Signature Description: Statmon uses statd and lockd to provide the crash and recovery functions for the locking services on NFS. Statmon is vulnerable to a security threat in the future. This signature generates an event, when an attacker try to identify whether Statmon service is running.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Ypbind finds the server for NIS domains and maintains the NIS binding information. The client (normally the NIS routines in the standard C library)could get the information over RPC from Ypbind or read the binding files. The binding files resides in the directory /var/yp/bind-ing. Ypbind is vulnerable to a security threat in the future.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16136 Rpc.pcnfsd execution vulnerability Threat Level: Information Signature Description: The Rpc.pcnfsd daemon handles requests from PC-NFS clients for authentication services on remote machines. These services include authentication for mounting and for print spooling. When a PC-NFS client makes a request, the inetd daemon starts the Rpc.pcnfsd daemon. The Rpc.pcnfsd daemon reads the /etc/pcnfsd.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attempts to register a new service on the portmapper/rpcbind by utilizing this technique. In this way the set request appears to come from the local machine and may bypass address checks. This Signature detects when an attacker send specially-carafted pattern on TCP RPC.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16204 RPC Automounter Daemon (amd) PID request UDP Threat Level: Information Signature Description: This rule gets hit when a request is made to discover the Process ID (PID) of the Remote Procedure Call (RPC) amd. The amd RPC service implements the automounter daemon on UNIX hosts. The amd service automatically mounts and unmounts requested file systems. An attacker can make a request to amd to discover its PID.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 operating systems are vulnerable to a buffer overflow that exists in the rtable_insert() function because of improper bounds checking allowing the execution of arbitrary commands with the privileges of root. This signature detects when an attacker send malicious pattern on RPC-TCP traffic.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16214 Solaris Snoop GETQUOTA decoding buffer overflow UDP Threat Level: Information Industry ID: CVE-1999-0974 Bugtraq: 864 Signature Description: Solaris Snoop is a network sniffing tool that ships with all Solaris 2.x operating systems. Solaris Snoop monitors all network traffic on the host's physical link by putting the computer's Ethernet interface into promiscuous mode.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 systems and to indicate which clients are permitted to mount each file system. The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems. If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16225 RPC UDP mount Call request Vulnerability Threat Level: Information Signature Description: Mount is to make a group of files in a file system structure accessible to a user or user group.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerable to stack based buffer overflow due to insufficient validation of user supplied data. A successful exploitation of this vulnerability allow an attacker to execute arbitrary commands on the vulnerable system. This vulnerability is fixed in SGI IRIX 6.5.11 version. Administrators are advised to update SGI IRIX 6.5.11 version to resolve this vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16233 Portmap Network-Status-Monitor (NSM) request UDP Threat Level: Information Signature Description: NSM runs on client machines and informs other hosts of the status of that machine should a crash or reboot occur. Each remote application using an rpc service can therefore register with the host when services are once again available.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 anonymous RPC function calls. Xfsmd for IRIX 6.5 through 6.5.16 are vulnerable. This signature detects when an attacker send malicious pattern on RPC-TCP traffic. Signature ID: 16237 SGI IRIX rpc.xfsmd uses weak RPC authentication UDP Threat Level: Information Industry ID: CVE-2002-0359 Bugtraq: 5072 Signature Description: XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (rpc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16241 Sun Solstice Adminsuite Daemon sadmind Buffer Overflow UDP Threat Level: Severe Industry ID: CVE-1999-0977 Bugtraq: 866 Signature Description: The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and 2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed in /usr/sbin.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16245 Linux rpc.statd Remote Format String Vulnerability Threat Level: Severe Industry ID: CVE-2000-0666 Bugtraq: 1480 Nessus: 10544 Signature Description: The rpc.statd server is an RPC server that implements the Network Status and Monitor RPC protocol. It's a component of the Network File System (NFS) architecture. The rpc.statd program passes user-supplied data to the syslog() function as a format string.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16249 Rpc.yppasswdd old password overflow attempt TCP Threat Level: Severe Industry ID: CVE-2001-0779 Signature Description: Network Information Service (NIS) provides a simple network lookup service consisting of databases and processes. Its purpose is to provide information, that has to be known throughout the network, to all machines on the network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16253 Ypupdated arbitrary command attempt TCP Threat Level: Information Industry ID: CVE-1999-0208 Signature Description: The "rpc.ypupdated" program is a server used to change NIS(Network Information Service) information from a network-based client, using various methods of authentication. When the client communicates to a server, the server checks to see if the connection is authentic using secure RPC.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 16952 Big TCP RPC message Threat Level: Information Signature Description: When using TCP as a transport mechanism, SUN RPC unpacks a single message into smaller fragments. At the other end these fragments are reassembled to form a complete RPC message. IPS will buffer these RPC fragments to get the complete message.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 remote host. This Attack will ask for the interface.iftable.ifentry.ifdesc. This rule hits when PDU request for the mib 1.3.6.1.2.1.2.2.1.2 in the SNMP packet flowing towards corporate network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 System (CatOS) contain a default configuration that allows a read-only Simple Network Management Protocol (SNMP) community string to expose a read-write community string. The exposure occurs in the View-based Access Control (VACM) MIB, which is a Management Information Base module that allows system administrators to configure access policies for SNMP-managed devices. Cisco VACM for Catalyst Operating Software (CatOS) 5.5 and 6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 internal network without being physically present locally. If the access point is using an 'off-the-shelf' configuration, the data being passed through the access point may be vulnerable to hijacking or sniffing. This SNMP daemon retrieves information that is available to an attacker who has read access to SNMP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 18018 SNMP MIB-II Address table Threat Level: Information Signature Description: This attack retrieves the table of IP addresses from the SNMP daemon with the community name provided in the configuration file. This attack retrieves information that is available to an attacker who has read access to SNMP.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the router as a text file. Ascend configuration files include the plain text passwords to the router, as well as usernames, passwords, and phone numbers for outgoing connections. the attack works by using SNMP "set" commands to initiate a TFTPtransfer of the config file (using the Ascend "sysConfigTftp" MIB extension). SNMP Community strings are equal to the passwords. Ensure that Ascend router community names are not guessable.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 18034 SNMP LANMAN Miscellaneous information Threat Level: Information Signature Description: This is an attack that retrieves miscellaneous information in the LANMAN MIB from the SNMP daemon with the community name provided in the configuration file. This attack retrieves information that is available to an attacker who has read access to SNMP. For to attack, the attacker uses "public" as the community name.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 18038 Snmp Get Guessable Community (private) Threat Level: Information Nessus: 10264 Signature Description: The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. The security options for SNMP include a list of community names.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 18042 Snmp Get Guessable Community (security) Threat Level: Information Nessus: 10264 Signature Description: The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. The security options for SNMP include a list of community names.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 18046 Snmp Get Guessable Community (Beta) Threat Level: Information Nessus: 10264 Signature Description: The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. The security options for SNMP include a list of community names.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 18052 Snmp Get Guessable Community (netman) Threat Level: Information Nessus: 10264 Signature Description: The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. The security options for SNMP include a list of community names.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 18056 SNMP-Kill-Auth-Trap Threat Level: Information Signature Description: Simple Network Management Protocol is used in network management systems to monitor network-attached devices. Many SNMP agents are configured to send an SNMP trap or notification to a management station when the agent receives SNMP messages that fail authentication tests.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 10264,10265 Signature Description: The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. The security options for SNMP include a list of community names.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Simple Network Management Protocol (SNMP) is a widespread protocol allowing network administrators to obtain information on and even configure various network devices remotely. The security options for SNMP include a list of community names.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 SNMP include a list of community names. By allowing remote users access to the SNMP Agent with the well known public community name manager, remote attackers may gain very valuable information(depending on which MIBs are installed) about the system and networks they are attacking. Also if a 'writeall' access can be gained, this could be a huge security hole, enabling attackers to wreck complete havoc, route packets and etc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via GetRequest, GetNextRequest, and SetRequest messages. Signature ID: 18096 SNMP: wrong PDU value Threat Level: Critical Signature Description: An SNMP PDU contains the body of the SNMP message. There are several types of PDUs. Three common PDUs are GetRequest, GetResponse, SetRequest.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Management Protocol (SNMP) is commonly used to monitor and manage network devices. By applying the PROTOS c06-snmpv1 test suite to a variety of popular SNMPv1-enabled products, the OUSPG revealed multiple vulnerabilities in SNMPv1 request handling in the way many SNMP managers decode and process SNMP request messages.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 18106 SNMP communication with no community string Threat Level: Information Industry ID: CVE-1999-0517 Bugtraq: 2112 Nessus: 10264 Signature Description: This rule gets hit when SNMP communications do not contain a community name. An SNMP community string is the authentication process that a host running SNMP uses to grant access.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 20004 Echo port open Threat Level: Information Industry ID: CVE-1999-0103 CVE-1999-0635 Nessus: 10061 Signature Description: The 'echo' service runs on TCP/UDP port 7, and it is not useful nowadays. It can be used along with other ports to perform a denial of service. It is highly recommanded to disable this service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 20016 Check for a Citrix server Threat Level: Information Nessus: 11022 Signature Description: Citrix servers allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host).If an attacker gains a valid login and password, he maybe able to use this service to gain further access on the remote host.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 backdoor a compromised host. There is the original rootkit, as well as versions specifically for SunOS and Linux. This check attempts to identify a trojan /bin/login program by testing the default 'rootkit' username and password.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 20027 3com hiper telnet denial of service Threat Level: Information Industry ID: CVE-1999-1336 Nessus: 10108 Signature Description: The HiPer access router card set is a complete solution for internet service providers and large corporate networks that require high-performance routing technology. The HiPer Access Router Card is part of the HiPer access system . HiPer Access Router Card (HiperARC 4.0 through 4.2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 20032 Alcatel ADSL Modem with Firewalling off vulnerability Threat Level: Information Industry ID: CVE-2001-1424 Bugtraq: 2568 Nessus: 10760,10530 Signature Description: Alcatel Speed Touch Wireless is an ADSL modem that enables users to connect PCs, game consoles and other appliances instantly and seamlessly on high-speed Internet access from anywhere in the house without a physical cable.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the targeted system. This vulnerability can also be exploited by directing the user to an attacker controlled SMB share, the user will then need to select the file in order to activate the exploit. Administrators are advised to install patches provided by Microsoft. Vulnerable platforms are Microsoft Windows 2000 SP4, Microsoft Windows 2000 SP3, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows Me.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21004 Microsoft Windows Windows Explorer Web View Script Injection Vulnerability Threat Level: Warning Industry ID: CVE-2005-1191 Bugtraq: 13248 Nessus: 18215 Signature Description: Windows Explorer is an application that is part of Microsoft Windows operating system that provides a graphical user interface for accessing the file systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 formats provided by Windows Explorer for viewing file and folder information. This feature allows users to preview documents in a thumbnail view before opening. In addition, information such as title and author is displayed. The preview pane is implemented via an HTML resource file (in webvw.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21009 Microsoft Windows NetDDE Long Share Name Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2004-0206 Bugtraq: 11372 Nessus: 15572,15456 Signature Description: Microsoft Network Dynamic Data Exchange (NetDDE) allows two applications to communicate with each other over a network transparently.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attacker could also add a .job file to a local file system or a network share and persuade the victim to view the folder using Windows Explorer or use a program such as Internet Explorer that passes parameters to the vulnerable parameter to exploit this vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21017 Microsoft Windows Shell DUNZIP32.DLL Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2004-0575 Bugtraq: 11382 Signature Description: Microsoft Windows XP and Windows Server 2003 feature the ability to native handle zip files through the Compressed (zipped) Folders feature. This facility is handled by DUNZIP32.DLL in Windows shell.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Microsoft Windows Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of messages before they are passed to an internal buffer. Exploitation could result in a denial of service or in execution of malicious code in Local System context, potentially allowing for full system compromise.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21038 Microsoft SMB ADMIN$ Hidden Share Access Threat Level: Severe Signature Description: Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates a network share of every hard drive. The Administrative shares are the default shares created by Windows whose share name contains the drive letter with a "$" at the end (ADMIN$).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters and setting values of 'AutoShareServer' and 'AutoShareWks' to 0. Signature ID: 21043 Microsoft SMB C$ Hidden Share Access Threat Level: Severe Signature Description: This rule hits when attempt towards 139 destination port.Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates a network share of every hard drive.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21047 Microsoft Windows RPC DCOM interface buffer overflow Threat Level: Information Industry ID: CVE-2003-0352 Bugtraq: 8205 Nessus: 11808 Signature Description: The Distributed Component Object Model (DCOM) handles DCOM requests sent by clients to a server using RPC.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21052 Samba 'Call_trans2open()' Remote Buffer Overflow Vulnerability Threat Level: Critical Industry ID: CVE-2003-0201 Bugtraq: 7294 Nessus: 11523 Signature Description: Samba is an open source implementation of SMB/CIFS protocol for UNIX flavors. Samba TNG is a forked development branch of Samba which provides file, print, and login services for various Microsoft Windows clients. Samba versions prior to 2.2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21057 Internet Security Systems Protocol Analysis Module SMB Parsing Heap Overflow Vulnerability Threat Level: Critical Industry ID: CVE-2004-0193 Bugtraq: 9752 Signature Description: Internet Security Systems Protocol Analysis Module (PAM) component is vulnerable to a heapbased buffer overflow, caused by a vulnerability in the parsing routines of the Server Message Block (SMB) protocol.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attacker might exploit this vulnerability under certain conditions to overwrite memory and execute arbitrary code on the system. This rule hits for the attack pattern towards the destination port 445. Signature ID: 21064 Access to SMB share from External Network Threat Level: Warning Signature Description: This rule detects any attempt to access SMB share on a Windows/Linux host from an external Network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21073 Microsoft SSL v3 DoS or SSL PCT buffer overflow attempt Threat Level: Critical Industry ID: CVE-2004-0120 CVE-2003-0719 Bugtraq: 10115,10116 Nessus: 12209,12209 Signature Description: A vulnerability exists in the Microsoft Secure Sockets Layer (SSL) library. This library is unable to handle a specially crafted SSL messages, and causes Denial of Service (DOS).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 corresponds to an existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum and any key specified will be considered as valid and appended to this registry string by using wsprintfW call. Therefore providing a large string of backslashes can overflow the buffer and can cause a denial of service or execution of attacker supplied arbitary code. Administrators are advised to install the update mentioned in MS05-047.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Encapsulation Format (TNEF) MIME attachment.An attacker could exploit the vulnerability by constructing a specially crafted TNEF message that could potentially allow remote code execution when a user opens or previews a malicious e-mail message or when the Microsoft Exchange Server Information Store processes the specially crafted message.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 memory corruption vulnerability which could allow for execution of arbitrary code in the context of the service. The Distributed Transaction Coordinator interface proxy (MSDTCPRX.DLL) functions as an RPC server that handles requests on the interface {906B0CE0-C70B-1067-B317-00DD010662DA} v1.0. MIDL_user_allocate function implemented in MSDTCPRX.DLL allocates a single 4KB page memory regardless of the size requested by user.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 using VirtualAlloc function allocation will always succeed and return a pointer to a 4KB block, entirely disregarding the allocation size. This only corrupts parts of memory but execution can be made possible by using another flaw in RPC run-time library RPCRT4.DLL. In RPCRT4.DLL, the NdrAllocate function writes management data to memory after certain RPC calls and memory allocation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21097 Possible RFPoison DoS Attempt Threat Level: Severe Industry ID: CVE-1999-0980 Bugtraq: 754 Signature Description: RFPoison DoS is a popular attacks against Windows NT systems. A specially crafted packet can cause a denial of service on an NT 4.0 host, rendering local administration and network communication nearly unusable. This attack will crash the "services.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21105 SMB sa Login Failed Event Threat Level: Information Signature Description: This rule alerts IPS administrator about the possibility of brute force login attempts to SMB server. It is observed that many of these attempts includes 'sa' as one of the user name.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21111 MS SQL Server xp_enumresultset Buffer Overflow Vulnerability Threat Level: Information Industry ID: CVE-2000-1082 Bugtraq: 2031 Signature Description: Microsoft SQL Server Desktop Engine (MSDE) suffers from multiple buffer overflow vulnerabilities.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21116 MS SQL Server xp_proxiedmetadata Buffer Overflow Vulnerability Threat Level: Information Industry ID: CVE-2000-1087 Bugtraq: 2042 Signature Description: The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21122 MS-SQL/SMB Shellcode Attempt (2) Threat Level: Severe Signature Description: Attackers can include shell code in the traffic to exploit the vulnerabilities in MS-SQL/SMB servers. This rule detects if there is a NOP sequence in the traffic targetted to MS-SQL/SMB servers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 link. Vulnerable platforms are Microsoft Windows XP Professional, Microsoft Windows XP Home, Microsoft Windows XP 64-bit Edition.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 excessively long requests to the 'PROPFIND' or 'SEARCH' variables, the IIS service will fail. All current web, FTP, and email sessions will be terminated. IIS will automatically restart and normal service will resume. Signature ID: 21134 MS Excel Remote Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2006-3059 Bugtraq: 18422 Signature Description: Microsoft Excel is vulnerable to a buffer overflow.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21202 Microsoft PPTP Service Malformed Control packet DOS Threat Level: Information Industry ID: CVE-2002-1214 Bugtraq: 5807 Signature Description: Point-to-Point Tunneling Protocol (PPTP) is an industry standard protocol (defined in RFC 2637) that enables users to create and use virtual private networks (VPNs).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21705 Microsoft SMB-DS RPC Locator Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2003-0003 Bugtraq: 6666 Signature Description: A buffer overflow vulnerability in the Microsoft Windows Locator service could allow a remote attacker to execute arbitrary code or cause the Windows Locator service to fail.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 21711 Microsoft Windows(SMB-DS)RAS Manager Registry Corruption Vulnerability Threat Level: Warning Industry ID: CVE-2006-2371 Bugtraq: 18358 Signature Description: The Microsoft Remote Access Connection Manager is a service which enables remote configuration and management of various services on a Windows host.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 client, it may be possible for the server to include enough data in the response to trigger a buffer overflow. This overflow could result in the overwriting of stack memory, and the potential execution of attacker supplied instructions.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 119, so successful exploitation would typically only yield the privileges of the news user.This rule hits when a buffer overflow attempt to sendsys of NNTP with more than 21 characters. Signature ID: 22111 NNTP senduuname buffer overflow vulnerability Threat Level: Warning Industry ID: CVE-2004-0045 Bugtraq: 9382 Signature Description: The Internet Software Consortium's (ISC) InterNetNews (INN) is a Usenet application.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 command line aa “Command lines shall not exceed 512 characters in length, counting all characters including spaces, separators, punctuation, and the trailing CR-LF (thus there are 510 characters maximum allowed for the command and its parameters). There is no provision for continuation command lines. “ Signature ID: 22115 Cassandra NNTPServer v1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 23001 Microsoft cmd.exe banner Threat Level: Information Nessus: 11633 Signature Description: The Microsoft command shell banner is being displayed to a system outside your internal network, through which the remote attacker has compromised an internal system. This rule gets hit when a Windows cmd.exe banner is detected in a TCP session.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 23006 Integer Overflow in challenge response handling of OpenSSH Threat Level: Information Industry ID: CVE-2002-0639 Bugtraq: 5093 Nessus: 11031 Signature Description: An Integer Overflow vunerability exists in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 24005 DNS caches answers with binary data check Threat Level: Information Signature Description: Caching binary data in place of host name information is very dangerous as many programs expect the nameserver to return clean, valid printable information. It has been noted that many programs can be exploited by passing invalid data via DNS responses.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 BIND versions 8.2.x are vulnerable to buffer overflow while handling Transaction Signatures (TSIG). Transaction Signatures (TSIG) are used to provide transaction-level authentication for DNS exchanges, adding cryptographic signatures to the messages sent to the DNS server. When a BIND server receives a request with a TSIG resource record that contains an invalid secure key, it will bind to error processing code.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 24015 DNS EXPLOIT sparc overflow attempt Threat Level: Information Signature Description: This rule raises an event when spurious DNS traffic is detected on the network.An attacker can spoof a DNS response to misrepresent an IP to host/name pairing.The forged host name can direct a user to a potentially hostile host.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 24021 DNS zone transfer TCP Vulnerability Threat Level: Information Industry ID: CVE-1999-0532 Nessus: 10595 Signature Description: DNS Zone transfers are normally used between DNS Servers to replicate zone information. A malicious user may request a Zone Transfer to gather information before commencing an attack. This can give the user a list of hosts to target.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 24025 DNS UDP inverse query overflow attempt Threat Level: Severe Industry ID: CVE-1999-0009 Bugtraq: 134 Signature Description: A buffer overflow exists in certain versions of BIND, the nameserver daemon maintained by the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse query.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 24953 DNS message integrity check for invalid DNS operation Flag Threat Level: Critical Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain names and IP addresses.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 header). If the OFFSET value points to an out of boundary data, which could leads to a DOS attack. These are protocol anomalies that should be detected as some DNS handlers could fail to handle such packets, resulting in denial of service conditions. Signature ID: 24957 DNS integrity check in Resourse Records and RR count.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 25027 WinGate telnet server response vulnerability Threat Level: Information Signature Description: WinGate is an Internet connectivity server and firewall package that allows you to share a single (or multiple) Internet connections with an entire computer network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 25044 Microsoft Windows IP Source Routing Vulnerability Threat Level: Warning Industry ID: CVE-1999-0909 Bugtraq: 646 Signature Description: Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 25050 PCAnywhere Attempted Administrator Login Threat Level: Information Signature Description: PCAnywhere is a remote control administrative software package from Symantec.This could be an attempt by external source to compromise administrator account privileges of PCAnywhere.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 27000 BACKDOOR Remote PC Access D4 Threat Level: Information Signature Description: This event indicates that an attempt has been made to connect to a host using the Remote PC Access Server. This event may also be generated when an attacker uses Nessus to scan for Remote PC Access. Remote PC is used to remotely administer hosts via the Internet. It offers complete control of the client machine via a TCP connection.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28008 180solutions Spyware action url Vulnerability Threat Level: Information Signature Description: Spyware is a program or software that resides on an infected computer and collects various information about the users without their informed consent. 180Solutions is a family of malicious adware programs that can infects system silently and installing itself in the background.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28014 Spyware Huntbar to download wintools Vulnerability Threat Level: Information Signature Description: Spyware is a program or software that resides on an infected computer and collects various information about the users without their informed consent. HuntBar is an advertising supported executable program that is installed without user knowledge.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 serious vulnerability which should be fixed immediately. It installs hbinst.exe which is considered to be a security risk, not only because spyware removal programs flag HotBar as spyware, but also because a number of users have complained about its performance. Delaying the removal of hbinst.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28024 MALWARE BetterInternet (randreco.exe) Vulnerability Threat Level: Information Signature Description: The systems are directed to a site that is capable of installing malwares in the systems. Malwares are the software's that pass user's activities to external sites. Adware BetterInternet is a Browser Helper Object that displays advertisements and downloads and installs files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28029 MALWARE Casino on Net Install Vulnerability Threat Level: Information Signature Description: Malware is software designed to damage a computer system without the owner's knowledge or consent. It includes computer viruses, worms, Trojan horses, and also spyware programming. CasinoOnNet is a piece of malware which functions both as adware and spyware.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 downloads software updates). The logon.exe process can silently download and execute arbitrary unsigned code from its controlling FTP server 209.58.80.244. Signature ID: 28035 Access to MALWARE site PeopleOnPage Vulnerability Threat Level: Warning Signature Description: The systems are directed to a site that is capable of installing malwares in the systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28039 Access to likely MALWARE site for installer Vulnerability(1) Threat Level: Information Signature Description: Malware is software designed to damage a computer system without the owner's knowledge or consent. It includes computer viruses, worms, Trojan horses, and also spyware programming. This rule will trigger when the attacker can send a request to the 'carto/mensagem/voxcards.scr' files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28044 Access to MALWARE MediaLoads Reporting (register.cgi) Vulnerability Threat Level: Warning Signature Description: The systems are directed to a site that is capable of installing malwares in the systems. Malwares are the softwares that pass user's activities to external sites. This is actually an application loaded by DownloadWare which shows any videos or pictures DW has downloaded.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 entered into forms on search engines. Microsoft Windows 2000, Windows 2003 Server, Windows 95, Windows 98, Windows Me, Windows NT 4.0 and Windows XP are affected by this attack. Signature ID: 28049 MALWARE Internet Optimizer site Vulnerability(1) Threat Level: Information Signature Description: This rule tries to detect the website which runs the Internet Optimizer malware.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28060 Access to likely MALWARE site for installer Vulnerability(6) Threat Level: Information Signature Description: Malware is software designed to damage a computer system without the owner's knowledge or consent. It includes computer viruses, worms, Trojan horses, and also spyware programming.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28065 Activity Related to P2PNetworking Spyware Threat Level: Warning Signature Description: P2PNetworking, also known as PeerEnabler, is an adware application often bundled with packages such as kazaa as a file-distribution program. If one installs software that uses P2PNetworking for downloads, the software itself may download content for your usage.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28071 Adware Zango site Vulnerability(4) Threat Level: Information Signature Description: Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Zango is an ad-delivery application.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 being used. SurfSideKick is a malicious executable program that is usually installed without user consent or knowledge. It may have the ability to secretly monitor, record, and transmit computer activity. This rule will trigger when the packet has a pattern 'ipixel.htm?cid='.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 being used. Virtumonde is adware that displays pop-up advertisements for rogue antispyware applications. The program runs in the background when the system starts up. It attaches to the system using bogus Browser Helper Objects(BHO) and system executable files like winlogon.exe. This rule will trigger when the packet has a pattern 'mmdom.exe' executable file.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 cursors, each with a unique ID. It changes your mouse pointer when hovering over partner sites. This comes under adwares that pops up ads. It monitors browser usage and accordingly delivers targeted advertisements. Basically, the installed spyware downloads many exe from CometSystems for updates without user's knowledge. This signature will generate log when the attack pkt contains cometsystems doain name.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28093 Access to adware WinAd site Vulnerability Threat Level: Warning Signature Description: WinAD is an adware program (advertising oriented spyware) for Microsoft Windows operating systems. It is adware trojan that hijacks victim browsers and forces them to display popup ads based on keywords in the sites they are visiting. It monitors browser usage and accordingly delivers targeted advertisements.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28099 Activity Related to Spyware Site pool.Westpop.com Vulnerability(1) Threat Level: Warning Signature Description: The systems are directed to a site that is capable of installing malwares in the systems. Malwares are the softwares that pass user's activities to external sites. This signature triggers when the client tries to access Westpop.com site which is known to install Malwares.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 28105 Spyaxe malware activity detection Threat Level: Warning Signature Description: Spyaxe is an anti-spyware application sometimes installed without a user's knowledge or consent. Once Spyaxe is installed, the systems are directed to Spyaxe site which is capable of installing malwares in the systems. The software may falsely alarm about infections, even prior to conducting a scan.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 to this site that is capable of installing malwares in the systems. Malwares are the softwares that pass user's activities to external sites. Spywarestormer hijacks the user's desktop and advertises too much. Signature ID: 28110 Activity Related to Spyware Site spywarestormer.com or Errorguard Vulnerability Threat Level: Warning Signature Description: Spywarestormer is a Trojan disguised as an anti-spyware application.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29001 Virus Generic Downloader - Inbound Threat Level: Information Signature Description: Standalone program that attempts to hiddenly download and run other files from remote web and ftp sites. Usually trojan downloaders download different trojans and backdoors and activate them on an affected system without user's approval.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29006 BugBear@MM Threat Level: Information Signature Description: Bugbear@MM is a mass-mailing worm, and it usually it spreads through network shares. It has keystroke-logging and backdoor capabilities, and also attempts to terminate the processes of various antivirus and firewall programs.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29013 Worm Sober.K (SMTP Inbound) Threat Level: Information Signature Description: Sober.K sends itself as an attachment in e-mail messages with English or German texts. When the worm's file is started it opens NOTEPAD with some junk characters in it. When the worm's file is run, it copies itself with 3 different names csrss.exe, smss.exe, winlogon.exe to %WinDir%\msagent\win32\.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 download and execute files from these domains. The exact URL gets generated based on the current date and is likely to change during the next days and weeks, but the host address/domain will remain. This worm spreads via e-mail, it uses its own SMTP engine to send itself to email address found on infected systems, spoofing the From address. This signature detects SMTP outbound worm traffic. Signature ID: 29020 Worm Sober.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29024 Trojan Bancos Vulnerability Threat Level: Warning Signature Description: Trojan Bancos is a password-stealing Trojan which also downloads code. It is targeted at users of various Brazilian online banks. The Trojan attempts to steal confidential login information from users on the infected computer and emails the logs back to the author.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Upon execution displays a fake error message saying "Error in packed file", drops some files in SYSTEM folder and creates registry entries to become active at startup. This signature detects when packet has pattern 'WINAMP 5.7 NEW!.EXE'ICQ 2005A EW!.EXE' Signature ID: 29031 Worm Zafi.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29037 Bofra Worm Threat Level: Information Industry ID: CVE-2004-1050 Bugtraq: 11515 Signature Description: Bofra worm exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows operating system file that renders the IFRAME, FRAME, and EMBED HTML tags (MS04-040). This worm spreads via the Internet in the form of infected emails without an attachment.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 process is loaded it will inject the created dll into explorer.exe as a thread and as a module. Finally it creates the registry entry so that it becomes active at each startup. This signature triggers for INbound malformed packets.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29050 Hotword Trojan Possible FTP File Request pspv.exe Threat Level: Information Signature Description: This rule hits when packet contains "SIZE pspv.exe". Trojan Hotword is a keylogger that logs keystrokes entered into Internet Explorer and saves the information for later retrieval or sends notification and the information to the author using SMTP mail or other methods over the Internet. Trojan.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29056 Worm Bagle.AI Threat Level: Information Signature Description: Beagle.AI is a mass-mailing worm that uses its own SMTP engine to spread through email and opens a backdoor on TCP port 1080. The subject line, body, and attachment name of the email vary. The attachment will have a .com, .cpl, .exe, .scr, or .zip file extension. Upon execution it drops copies of itself as winxp.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29061 Worm Bagle.BJ Threat Level: Information Signature Description: Worm Bagle.BJ is a mass mailer containing its own SMTP engine. Upon execution creates copies of itself to the SYSTEM folder and modifies registry to launch itself at Windows startup. Terminates numerous processes, many are related to security and anti-virus software.Also copies itself to the shared folders of several file sharing applications.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29070 Worm Bagle.I Vulnerability Threat Level: Information Signature Description: Bagle.I is a worm that spreads via e-mail, and through file sharing. The worm spreads attached to an e-mail in a password-protected zip archive, with the password displayed in the body of the e-mail message. It arrives as a dropper, which installs itself(%System%\i11r54n4.exe) and two DLLs, %System%\go154o.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 SYSTEM folders, modifies registry to launch itself at Windows startup, may create Internet traffic on port 80. It also modifies the HOSTS file to prevent access to several security related sites, attempts to kill numerous processes and services and attempts to rename several files, many of which are security related. Signature ID: 29077 Worm Bagle.BQ Threat Level: Information Signature Description: Worm Bagle.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29083 Worm Bagle.BB Threat Level: Information Signature Description: Worm Bagle.BB is a worm that spreads via e-mail. Rather than putting itself in e-mail attachments, it uses a separate downloader component (called Win32.Glieder.Q.), which attempts to download and run files from several hard-coded URLs. If the Bagle.BB program is placed in one of these URLs, it can spread as a twostage e-mail worm. Bagle.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29091 Worm Bagle.ES/Bagle.ET Threat Level: Information Signature Description: Worm Bagle.ES/Bagle.ET comes through spammed e-mails as a zip file attachment. When the file is run, it copies itself as ANTI_TROJ.EXE file to Windows System folder and creates a startup key for this file in the Registry.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29097 VBS.Postcard Threat Level: Information Signature Description: This virus is a polymorphic Visual Basic Script (VBS), which is stored in HTML files or as a separate VBS file. It is both an email worm and a Trojan horse. When executed, the worm emails itself to everyone in Microsoft Outlook address book. Then infects files in the \Windows, \Windows\System, and \Temp folders that have .html, .htm, .shtml, or .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29103 Bropia Worm Threat Level: Information Signature Description: Bropia is an instant messenger worm that spreads using Microsoft's MSN Messenger. This worm also drops a variant of Spybot Worm in the infected system. When executed, Bropia worm copies to Windows System folder using different file names. The file name will be winhost.exe, lexplore.exe, or updates.exe.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29108 Worm Korgo.P Threat Level: Information Signature Description: Worm Korgo.P is a network worm that uses the LSASS exploit to propagate (MS04-011). Korgo.P copies itself to the Windows system folder with a randomly-generated filename between 5 and 8 characters long and creates/modifies some registry entry so as to run itself on system startup.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29117 Worm MyDoom.AH Threat Level: Information Industry ID: CVE-2004-1050 Bugtraq: 11515 Signature Description: Mydoom.AH makes use of IFRAME HTML tags buffer overflow vulnerability to infect systems. An e-mail comes to user with a hyper link to a malicious website running a web server which is vulnerable to IFRAME buffer overflow. Clicking on the link, accesses a web server running on the compromised system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29127 Worm MyDoom/MIMAIL.R Threat Level: Information Signature Description: MyDoom/MIMAIL.R is a worm which spreads by email. Copies itself into the system32 folder and adds registry key to become active at startup. As the other Mydoom worms it scans the filesystem and mounted shares for email addresses. This worm attempts to steal user's credit card information by displaying fake Microsoft licensing window.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29133 Worm MyFip Threat Level: Warning Signature Description: A Worm is a malicious program that spreads itself without any user intervention. Worms are self-replicating. Worms spread without attaching to or infecting other programs and files. A Worm can spread across computer networks via security holes on vulnerable machines connected to the network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29139 Worm MyFip Threat Level: Warning Signature Description: A Worm is a malicious program that spreads itself without any user intervention. Worms are self-replicating. Worms spread without attaching to or infecting other programs and files. A Worm can spread across computer networks via security holes on vulnerable machines connected to the network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29149 Worm MyTob.DI Threat Level: Information Signature Description: Worm MyTob.DI is a mass-mailing worm and IRC backdoor Trojan for the Windows platform. It runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels and also includes functionality to silently download, install and run new software. Mytob.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 connects to an Internet Relay Chat (IRC) channel, where it waits for commands from the remote user. Furthermore, this worm modifies the HOSTS file, which prevents the user from accessing certain Web sites. Most of these sites are related to antivirus and security applications. This worm terminates processes, most of which are related to antivirus programs, security applications, and other malware programs.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29160 Worm Netsky.P Threat Level: Information Industry ID: CVE-2001-0154 Bugtraq: 2524 Signature Description: Worm NetSky.P is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 finds. The From line of the email is spoofed, and its Subject, Message, and Attachment vary. The attachment has a .zip extension. This signature triggers for Outbound malformed packets. Signature ID: 29165 Worm NetSky.P Threat Level: Information Industry ID: CVE-2001-0154 Bugtraq: 2524 Signature Description: Worm NetSky.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29169 Worm Novarg.A Threat Level: Information Signature Description: W32.Novarg.A is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29174 Rbot Trojan Threat Level: Information Signature Description: Win32.Rbot is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29178 Worm Sasser Threat Level: Information Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209 Signature Description: W32/Sasser worm is a self-executing network worm, which travels from infected machines via the internet, exploiting a Microsoft Windows vulnerability MS04-011, and instructs vulnerable systems to download and execute the viral code. It does not spread via email.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 opens a backdoor on TCP port 8, attempts to connect to a predetermined IRC server and wait for commands from an attacker. It can make use of the Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow Vulnerabilities (MS04-007) and the Microsoft Windows LSASS Buffer Overrun Vulnerabilities (MS04-011) to spread to unpatched computers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 related and filesharing software as well as destroying files of certain types. When executed, it copies itself to the files rundll16.exe, scanregw.exe, Update.exe, and Winzip.exe. Signature ID: 29190 Akak Trojan Threat Level: Warning Industry ID: CVE-2005-0053 Bugtraq: 11466 Signature Description: Akak Trojan utilizes the IE Drag-n-drop vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 26,112 bytes. Upon execution, copies itself to system directory and creates some registry entries. Dumador.IK will attempt to send keystrokes, and other sensitive information back to the virus author. This backdoor will specifically target the Windows clipboard, and the protected storage area of the registry, which contains auto-complete data for IE. Also, Dumador.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 opens random ports where it listens for incoming commands from a remote malicious user. It also attempts to steal certain information, which it sends to a remote malicious user via email. It creates registry keys to registers itself as a service and to allow itself to execute even when an affected system is running in safe mode.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29208 Trojan Sicklebot Threat Level: Warning Signature Description: Machines infected by SickleBot will attempt to connect to a web server controlled by the attacker in order to receive commands to perform the desired action. The infected machine, along with other infected computers connected to the web server form a botnet, which attackers use to perform DDoS attacks on desired servers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29213 Trojan W32Agent.dsi Vulnerability Threat Level: Warning Signature Description: Trojan W32.Agent.dsi is a downloader trojan horse. This may be installed when visiting malicious websites posing as a plug-in for Internet Explorer to enhance it's features. Upon execution it registers itself at an Apache webserver and downloads data from this server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29218 Worm MyTob.X Threat Level: Warning Signature Description: Win32.Mytob.X is a worm that spreads via e-mail, poorly protected network shares, and MSN Messenger. The worm also acts as an IRC bot, allowing a controller unauthorized access to the infected machine, and further spreading by exploiting vulnerabilities in the Windows operating system. Signature ID: 29219 Worm Sober.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 29223 Worm MyTob.AH Threat Level: Information Signature Description: Mytob.AH is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 will start performing the same search on the internet starting at a randomly generated IP address. As a result anyone connected to the internet who has file sharing enabled and who enables NETBIOS over TCP/IP is potentially vulnerable to this worm. This worm also attempts to download updates from a website that is already shut down. Signature ID: 29228 Virus Virut.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Microsoft Internet Explorer is reported susceptible to a filename extension spoofing vulnerability when utilizing the 'Save Image As' feature.Reportedly, this vulnerability is only possible when Internet Explorer is configured with 'Hide extension for known file types' enabled. This is the default configuration.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30011 Novell Netmail IMAP Verb Literal Heap Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2006-6424 Bugtraq: 21725 Signature Description: Novell NetMail is an ISP-grade E-Mail package by Novell, Inc. Novell NetMail 3.52 and earlier are vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the IMAP service imapd.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. SQL Server 2000 and MSDE 2000 has the ability to install multiple copies (instances) of SQL Server on a single machine and have it appear that these instances are completely separate database servers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30019 CommuniGate Pro LDAP Server Negative Length BER Field Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2006-0468 Bugtraq: 16407 Signature Description: CommuniGate Pro is a communication server which includes an LDAP module. The LDAP server listens on TCP port 389 by default. CommuniGate Pro Server 5.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30023 Microsoft Multimedia Controls ActiveX control (daxctle.ocx) memory corruption vulnerability(4) Threat Level: Severe Industry ID: CVE-2006-4446 Bugtraq: 19738 Signature Description: Microsoft's DirectAnimation is a suite of development functionality, predating Microsoft DirectX, that provides animation support for web applications and other software. It includes a number of COM objects.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 specially-crafted Web page that supplies a long string as the first argument to the SetCifFile method. The successful exploitation may allow an attacker to overflow a buffer and execute arbitrary code on the victim's system using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions.User can set killbit to the clsid corresponding to the progid ASControls.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30032 Microsoft Windows mhtml: URI Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2006-2766 Bugtraq: 18198 Nessus: 22185 Signature Description: This vulnerability is caused due to a boundary error in inetcomm.dll when processing URLs with the mhtml: URI handler.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30040 Microsoft Windows Media Player Plug-in Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2006-0005 Bugtraq: 16644 Signature Description: The Microsoft Windows Media Player plug-in for non-Microsoft browsers is prone to a bufferoverflow vulnerability. The application fails to do proper boundary checks on user-supplied data before using it in a finite-sized buffer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 avatar can be used as an exploitation vector. Successful exploits may allow attackers to crash the application, denying further service to users.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30050 MySQL Login Packet Information Disclosure Vulnerability Threat Level: Warning Industry ID: CVE-2006-1516 CVE-2006-1517 Bugtraq: 17780 Signature Description: MySQL is freely distributed relational database server often used as a back-end for several applications. MySQL versions 4.1 through 4.1.18 and 5.0 through 5.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 CCM default installation directory. A remote attacker can reboot the system by executing the command radbootw.exe which is present in that directory or a file can be generated by using radexecd.exe (present in same directory) which later can be executed in similar way. The attacker can execute commands within the security context of the of the Radia Notify Daemon, which is System by default.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30057 Novell eDirectory MS-Dos Device Name Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2005-1729 Signature Description: Novell eDirectory is a software package that uses a Lightweight Directory Access Protocol (LDAP) directory service for integrating enterprise and eBusiness programs. Novell eDirectory version 8.7.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30061 Oracle Database Server SYS.DBMS_EXPORT_EXTENSION SQL Injection Vulnerability Threat Level: Warning Industry ID: CVE-2006-2081 CVE-2006-2505 CVE-2006-1887 Bugtraq: 17590,17699 Signature Description: Oracle Database Server is a commercial relational database application suite. A vulnerability exists in Oracle PL/SQL Export Extensions that allows an attacker to gain privileges to modify database information.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30064 Oracle Application Server Forms Command Execution Vulnerability Threat Level: Warning Industry ID: CVE-2005-2372 Bugtraq: 14319 Signature Description: Oracle Forms Services is a framework based upon application server technology that has been optimized to deploy Oracle Forms applications in a multi-tiered environment. Oracle Forms Service versions 4.5, 5.0, 6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 any user on the application server. An attacker can upload a report executable via WebDav. The attacker could then send a specially-crafted report parameter to cause the server to execute the malicious file onto the targeted user's system. The file will be executed with Oracle user privileges on a Unix operating system and with SYSTEM privileges on a Windows-based system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Oracle HTTP server (OHS) is a web server that listens to remote user HTTP requests, and interacts with a back end Oracle database. By default this HTTP server is installed with Oracle Application Server. Oracle9iAS Application Server versions 1.0.2 to 10.x could allow a remote attacker to access restricted URLs caused by a vulnerability when using the Web Cache.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 to process DNS response packets. This component is vulnerable to a stack overflow while processing the CNAME field of a DNS response packet. By supplying an excessively long canonical name in the CNAME field of a resource record, remote attackers could trigger a stack-based buffer overflow. Successful exploitation would enable attackers to execute arbitrary code on an affected system with kernel level privileges.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 can exploit this vulnerability by sending a specially crafted ClientHello message that contains a long list of cipher codes to the target server. Successful exploitation would allow for executing arbitrary code with the privileges of the application using the OpenSSL library. Upgrade to the latest version of OpenSSL (0.9.7l or 0.9.8d or later). Also most of the vendors that use vulnerable OpenSSL has released patches.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30085 OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2006-3738 CVE-2007-5135 Bugtraq: 20249 Signature Description: OpenSSL is an open source implementation of the SSL protocol. A remotely exploitable buffer overflow vulnerability exists in OpenSSL versions 0.9.7-0.9.8.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 of the vendors that use vulnerable OpenSSL has released patches. This rule hits when attack pattern towards SMTP Server. Signature ID: 30089 OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2006-3738 CVE-2007-5135 Bugtraq: 20249 Signature Description: OpenSSL is an open source implementation of the SSL protocol.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 triggers the overflow. Attackers can exploit this buffer overflow to cause a denial of service, or execute arbitrary code on the vulnerable machine with the privileges of the victim.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 commands with the privileges of the user. An attacker may also be able to perform other file system activities, such as copying or deleting files. Signature ID: 30099 Audio File Transfer by Chunked Transfer Encoding and gzip Content Encoding Threat Level: Warning Signature Description: Chunked Transfer Encoding is one way in which an http server may transmit data to a client application.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 isaNVWRequest.dll ISAPI application, which is part of the Web management interface. By sending an overly long HTTP POST request, a remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the Web server process. Trend Micro has acknowledged this vulnerability but has not released patches since the issue appears to exist in the Microsoft MFC ISAPI libraries.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 character at the end. The vendor has issued a fix in the version 3.1.18. This signature triggers when pattern comes like "\x2e\x2e". Signature ID: 30171 Barracuda Spam Firewall IMG.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 updates for this vulnerability. Restrict the access to port on which this service (default 8180/tcp) is running to trusted clients. Signature ID: 30176 HP OpenView Network Node Manager Shell Metacharacter Remote Command Execution Vulnerabilitiy Threat Level: Severe Industry ID: CVE-2005-2773 Bugtraq: 14662 Signature Description: Network Node Manager (NNM) is a Hewlett Packard OpenView product which manages networks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30181 PHP-Nuke Search Module Query Parameter SQL Injection Vulnerability Threat Level: Severe Industry ID: CVE-2005-3792 Bugtraq: 15421 Signature Description: PHP-Nuke is a news automated system designed to be used in Intranets and Internet. The goal of PHP-Nuke is to have an automated web site to distribute news and articles with users. The PHP-Nuke versions 7.5 through 7.8 and PHPNuke EV version 7.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Mercantec's SoftCart is a Web-based shopping cart system for Microsoft Windows. SoftCart version 4.00b is vulnerable to a buffer overflow in the SoftCart.exe CGI. By sending a specially-crafted HTTP GET request containing a malformed CGI parameter to SoftCart, a remote attacker could overflow a buffer and execute arbitrary code on the system. Upgrade to newer version of the product.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the VNC protocol to control another computer's screen remotely. Ultr@VNC client version 1.0.1 is vulnerable to a buffer overflow, caused by improper bounds checking of the Log::ReallyPrint() function when logging replies received from a VNC server. During login process if the client sends invalid credentials server replies with a reason string indicating the reason for failure.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 multi-server environments from one common interface. Report Manager version prior to 3.5 Update 4 is vulnerable to a heap based overflow. The specific flaw exists both within the scheduler client (clsscheduler.exe) listening on TCP port 7978 and the scheduler server (srvscheduler.exe) listening on TCP port 7977.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Messenger, IRC, Novell GroupWise Messenger, Bonjour, Jabber, and Skype networks. The AOL Instant Messenger (AIM) protocol handler in Cerulean Studios Trillian version 3.1.6.0 and prior are vulnerable to a buffer overflow while handling aim:// URIs. The vulnerability is due to improper handling of a long aim:// URI in aim.dll.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Motorola. Timbuktu Pro version 8.6.3.1367 and possibly prior versions are vulnerable to a directory traversal via malicious 'Send' requests. When handling 'Send' requests, Timbuktu does not properly check for directory traversal specifiers such as ../ thus allowing a remote attacker to write files outside the intended location.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 in the G/PGP Encrpytion Plug-in for SquirrelMail webmail version 2.1 and prior. The vulnerability specifically exists within the function gpg_recv_key() defined in gpg_key_functions.php. A remote authenticated attacker could exploit this vulnerability using the 'keyserver' parameter submitted to gpg_options.php.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Mozilla Firefox web browser, Thunderbird email client, and SeaMonkey internet suite are vulnerable to script execution when an add-on uses the 'about:blank' page. Add-ons are small pieces of software that can add new features for these products.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30324 VMWare WorkStation Vielib.DLL ActiveX Control StartProcess Method Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2007-4058 Bugtraq: 25118 Signature Description: VMware Workstation software consists of a virtual-machine suite for x86 and x86-64 computers. VMware Workstation version 6.0 installs VIELIB.DLL ActiveX Control which is vulnerable to code execution via StartProcess method.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30328 VMWare WorkStation Vielib.DLL ActiveX Control CreateProcess Method Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2007-4155 Bugtraq: 25131 Signature Description: VMware Workstation software consists of a virtual-machine suite for x86 and x86-64 computers. VMware Workstation version 6.0 installs VIELIB.DLL ActiveX Control which is vulnerable to code execution via CreateProcess method.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30332 Hewlett-Packard OpenView Operations OVTrace Service Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-3872 Bugtraq: 25255 Signature Description: HP OpenView Operations software is a suite of network management tools used to monitor events on, and evaluate the performance of, hosts on the network.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 system with the privileges of the victim or cause a denial of service. Symantec has addressed this issue in SYM07-021 and patch is available through LiveUpdate. Signature ID: 30336 Symantec Norton Products NAVCOMUI.DLL ActiveX Control Remote Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2007-2955 Bugtraq: 24983 Signature Description: The NACOMUI.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30339 Symantec Norton Products NAVCOMUI.DLL ActiveX Control Remote Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2007-2955 Bugtraq: 24983 Signature Description: The NACOMUI.DLL library, installed by several Symantec Norton products, exports two ActiveX controls that are vulnerable to code execution. The issue is due to the ActiveX Controls AxSysListView32 and AxSysListView32OAA in NavComUI.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 ActiveX control provided by DXTLIPI.DLL that is produced by Live Picture Corporation. The DXSurface.LivePicture.FLashPix.1(DXTLIPI.DLL) ActiveX control contains a buffer overflow vulnerability in the SourceUrl() property.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30346 HP-UX ldcconn Daemon Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2007-4241 Bugtraq: 25227 Signature Description: Cisco LocalDirector is a server load balancing appliance. Systems running HP-UX have HP Controller for Cisco Local Director service also known as 'ldcconn' and can be used to interface with this appliance. By default ldcconn listens on TCP port 17781. HP-UX 11.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 programmers. The TypeLibInfoFromFile() function will accept a DLL file as argument and allows retrieval of information from the DLL. A remote attacker may supply a DLL filename which is malicious via webdav/SMB share path. The attacker supplied DLL have a malicious DLLGetDocumentation function which gets executed when a request for the HelpString property is made.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30353 Microsoft Visual Basic 6 TBLinf32.DLL ActiveX Control Remote Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2007-2216 Bugtraq: 25289 Signature Description: The Microsoft Visual Basic 6 TypeLib Information Library (TLI) ActiveX control is prone to a remote code-execution vulnerability. The TypeLib Information object library, implemented in TlbInf32.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 programmers. The TypeLibInfoFromFile() function will accept a DLL file as argument and allows retrieval of information from the DLL. A remote attacker may supply a DLL filename which is malicious via webdav/SMB share path. The attacker supplied DLL have a malicious DLLGetDocumentation function which gets executed when a request for the HelpString property is made.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30360 MS Visual Basic 6 pdwizard.ocx ActiveX Control Remote Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2007-3041 Bugtraq: 25295 Signature Description: Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption vulnerability that occurs when Internet Explorer attempts to instantiate the pdwizard.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 stack-based buffer overflow, caused by improper bounds checking by the Mercury/32 SMTP Server Module (mercurys.dll). By sending a specially-crafted AUTH CRAM-MD5 command with an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30370 ECentrex VOIP Client UACOMX.OCX ActiveX Control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-4489 Bugtraq: 25383 Signature Description: ECentrex is a popular developer of Voice-over-IP (VoIP) solutions. The eCentrex VOIP Client ActiveX control (uacomx.ocx) version 2.0.1 is vulnerable to a stack-based buffer overflow. This ActiveX Control is included in several VoIP products.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30379 Oracle JInitiator beans.ocx ActiveX control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-4467 Bugtraq: 25473 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30388 Oracle JInitiator beans.ocx ActiveX control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-4467 Bugtraq: 25473 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30397 Oracle JInitiator beans.ocx ActiveX control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-4467 Bugtraq: 25473 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30406 Oracle JInitiator beans.ocx ActiveX control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-4467 Bugtraq: 25473 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30415 Oracle JInitiator beans.ocx ActiveX control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-4467 Bugtraq: 25473 Signature Description: Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. The Oracle JInitiator ActiveX control beans.ocx is vulnerable to multiple stack buffer overflows in initialization parameters.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30419 Yahoo Messenger YVerInfo.dll ActiveX Control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-4515 Bugtraq: 25494 Signature Description: Yahoo! Messenger is a instant messaging application that allows users to chat online, share files. The Yahoo! Messenger ActiveX control (YVerInfo.dll version 2006.8.24.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 buffer and execute arbitrary code on the system with the privileges of the user or cause the victim's browser to crash. No remedy is available as of September 2007. Users are advised to set the killbit for for the vulnerable ActiveX control's CLSID A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8. This signature detects attacks using CLSID in UTF encoding.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30426 ACTi Network Video Recorder nvUtility ActiveX Control SaveXMLFile/DeleteXMLFile Method File Modification Vulnerability Threat Level: Severe Industry ID: CVE-2007-4583 Bugtraq: 25465 Signature Description: ACTi NVR system records video and audio and data information. The NVR nvUtility.Utility.1 ActiveX control (nvUtility.dll 1.0.14.0) in ACTi Network Video Recorder (NVR) SP2 2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30430 Microsoft Visual FoxPro FPOLE.OCX ActiveX Control FoxDoCmd Method Multiple Vulnerabilities Threat Level: Severe Industry ID: CVE-2007-4790 CVE-2007-5322 Bugtraq: 25571,25977 Signature Description: Microsoft Visual FoxPro is Microsoft's integrated development environment for the FoxPro programming language. Microsoft Visual FoxPro version 6.0 installs an ActiveX Control FPOLE.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Online Edition ActiveX control version 9 and prior could allow a remote attacker to overwrite or download arbitrary files on the system, caused by a vulnerability in httpGETToFile() and httpPOSTFromFile() functions. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to overwrite, corrupt, and download arbitrary files on the system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 affect the functionality of the application. Upgrade to latest version of the software available from vendor's website. This signature detects traffic using CLSID '2CC3D8DE-18BF-43ff-8CB8-21B442300FD5'.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30440 Intuit QuickBooks Online Edition ActiveX Control httpGETToFile/httpPOSTFromFile Method Access Threat Level: Severe Industry ID: CVE-2007-4471 CVE-2007-0322 Bugtraq: 25544 Signature Description: Intuit QuickBooks Online Edition is a version of Intuit's popular QuickBooks bookkeeping application implemented as an ActiveX control that can be run within Microsoft Internet Explorer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Intuit QuickBooks Online Edition is a version of Intuit's popular QuickBooks bookkeeping application implemented as an ActiveX control that can be run within Microsoft Internet Explorer. The QuickBooks Online Edition ActiveX control version 9 and prior contain multiple vulnerabilities that allow execution of arbitrary code or modification of files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 disable the ActiveX Control clsid 2CC3D8DE-18BF-43ff-8CB8-21B442300FD5 but it will affect the functionality of the application. Upgrade to latest version of the software available from vendor's website.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 application implemented as an ActiveX control that can be run within Microsoft Internet Explorer. The QuickBooks Online Edition ActiveX control version 9 and prior contain multiple vulnerabilities that allow execution of arbitrary code or modification of files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30454 Microsoft XML Core Service XMLHTTP ActiveX Control Access Using Unicode Threat Level: Severe Industry ID: CVE-2006-5745 Bugtraq: 20915 Signature Description: Microsoft XML Core Services (MSXML) allow developers who use applications such as JScript, Visual Basic Scripting Edition (VBScript), and Microsoft Visual Studio to create XML-based applications.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 workaround set the kill-bit for the affected ActiveX control DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2. Vendor hasn't supplied any patches as of November 2007. Signature ID: 30458 Altnet Download Manager ADM4 ActiveX Control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-5217 Bugtraq: 25903 Signature Description: The Altnet Download Manager is a software application that speeds up file downloads.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 string to the Install() method, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the user or cause the victim's browser to crash. This rule triggers when the ActiveX Control is accessed using Unicode. As a workaround set the kill-bit for the affected ActiveX control DEF37997-D9C9-4A4BBF3C-88F99EACEEC2. Vendor hasn't supplied any patches as of November 2007.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 30465 SonicWALL NetExtender NELaunchCtrl ActiveX AddRouteEntry Method Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-5603 Bugtraq: 26288 Signature Description: SonicWall NetExtender is an SSL VPN client that is implemented by using an ActiveX control. The NELaunchCtrl ActiveX control 2.5 before 2.5.0.56 (SSL-VPN 2000 and SSL-VPN 4000) and prior to 2.1.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 marketed by CodeGear, a wholly-owned subsidiary of Borland Software Corporation. Firebird is a relational database that runs on Linux, Windows, and a variety of Unix platforms. Borland InterBase LI 8.0.0.53 through 8.1.0.253 on Linux and Firebird Versions 2.0.0.12748, 2.0.1.12855 on Linux and Windows are vulnerable to stack-based overflow caused by improper bounds checking in multiple functions.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 31385 Malware Web Sony DRM Reporting 1 Threat Level: Severe Signature Description: The Sony messaging system works, Whenever a user plays an affected XCP CD, and whenever a user browses within certain sections of the player, it sends a message to Sony's connected.sonymusic.com server. A "uId" parameter marks the CD being played and the specific section of the player in use.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 31550 TROJAN Possible Bobax trojan infection Threat Level: Warning Signature Description: Bobax is a new, trojan proxy that uses the MS04-011 (LSASS.EXE) vulnerability to propagate. When instructed to do so it scans random IP addresses for vulnerable computers. This event indicates trojan horse activity.Internal machine may be infected by trojan.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32264 Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution vulnerability Threat Level: Warning Industry ID: CVE-2007-4891 Bugtraq: 25638 Signature Description: Visual Studio Tools for the Azure Services Framework, The Microsoft Visual Studio PDWizard ActiveX control PDWizard.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32267 Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution vulnerability Threat Level: Warning Industry ID: CVE-2007-4891 Bugtraq: 25638 Signature Description: Visual Studio Tools for the Azure Services Framework, The Microsoft Visual Studio PDWizard ActiveX control PDWizard.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32270 Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution vulnerability Threat Level: Warning Industry ID: CVE-2007-4891 Bugtraq: 25638 Signature Description: Visual Studio Tools for the Azure Services Framework, The Microsoft Visual Studio PDWizard ActiveX control PDWizard.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32273 Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution vulnerability Threat Level: Warning Industry ID: CVE-2007-4891 Bugtraq: 25638 Signature Description: Visual Studio Tools for the Azure Services Framework, The Microsoft Visual Studio PDWizard ActiveX control PDWizard.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 URL for a PDF file that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's Firefox browser.The code will originate from the target site hosting the PDF file and will run in the security context of that site.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32601 HTTP MS IE COM ActiveX Object Memory Corruption Blnmgrps-2 Threat Level: Severe Industry ID: CVE-2007-0219 Bugtraq: 22504 Signature Description: Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability when Internet Explorer attempts to instantiate certain COM objects as ActiveX Controls (Msb1fren.dll, Htmlmm.ocx, and Blnmgrps.dll).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32606 HTTP McAfee SecurityCenter Subscription Manager Buffer Overflow Threat Level: Severe Industry ID: CVE-2007-2584 Bugtraq: 23888,23909 Signature Description: The 'McSubMgr.DLL' ActiveX control shipped with McAfee Security Center is prone to a buffer-overflow vulnerability.The software fails to perform sufficient boundary checks of user-supplied input before copying it to an insufficiently sized memory buffer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32611 HTTP ActSoft DVDTools OCX ActiveX Buffer Overflow Threat Level: Severe Industry ID: CVE-2007-0976 Bugtraq: 22558 Signature Description: The ActSoft DVD Tools ActiveX control (dvdtools.ocx) is vulnerable to a buffer overflow, because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32616 HTTP Yahoo Messenger AudioConf ActiveX Overflow Threat Level: Severe Industry ID: CVE-2007-1680 Bugtraq: 23291 Signature Description: Yahoo Messenger is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Yahoo.AudioConf ActiveX control(yacscom.dll) in Yahoo Messenger.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Explorer 5.01, 6, and 7 uses certain COM objects from (1) Msb1fren.dll, (2) Htmlmm.ocx, and (3) Blnmgrps.dll as ActiveX controls, which allows remote attackers to execute arbitrary code via unspecified vectors. This signature detects if an attacker try to exploit Htmlmm.ocx. Signature ID: 32622 HTTP MS IE COM ActiveX Object Memory Corruption (Msb1fren.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 control is provided by the file NCTAudioFile2.dll.The NCTAudioFile2 ActiveX control is included with several applications.The NCTAudioFile2 ActiveX control contains a buffer overflow in the SetFormatLikeSample() method.This buffer overflow allows an attacker to overwrite the contents of the EIP (Extended Instruction Pointer) register, thus gaining control of program execution flow.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attempts of this vulnerability are detected using a combination of two signatures. This is the second signature and generates a log message. Signature ID: 32633 FTP 3Com 3CDaemon Multiple Remote Vulnerabilities Threat Level: Severe Industry ID: CVE-2005-0277 Bugtraq: 12155 Signature Description: 3CDaemon is reportedly prone to multiple vulnerabilities.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 servers for Windows.Unlike MS FTP, acFTP supports extended FTP commands set, including APPE and REST for resuming broken uploads and downloads. A vulnerability in acFTP has been reported, which can be exploited by remote users to trigger denial of service conditions. The vulnerability is caused due to an error within the handling of the argument passed to the "REST" command.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 booted.This web server is reportedly vulnerable to a stack-based buffer overflow that can be triggered by an overlong HTTP request.The overflow can be exploited to execute arbitrary code with the privileges of the server process.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: EIQnetworks SecureVue enterprise Security management(ESM) solution delivers nextgeneration security information and compliance management from an integrated platform. EIQ Networks Network Security Analyzer is a denial of service vulnerability, caused by a null pointer dereference in the DataCollection service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 'SETSYNCHRONOUS' string to TCP port 10618. The successful exploitation may allow an attacker to cause the DataCollection service to crash. No remedy available as of October, 2008.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Oracle Rapid Install Web Server in Oracle Application Server 11i is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the login page.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 intruder to execute arbitrary code with SYSTEM privileges.Additionally, Windows 98 and Windows 98SE may be affected if you have installed the Windows XP Internet Connection Sharing client.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32670 Backdoor Wow23 0.3 Threat Level: Severe Signature Description: Wow.23 backdoor, also known as 23 HTML Creator or BackDoor-US, is a backdoor Trojan written in Visual Basic that affects Microsoft Windows operating systems.Wow.23 backdoor exploits a vulnerability in Microsoft Internet Explorer, allowing the attacker to execute arbitrary code on the system.It communicates using TCP on port 80.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32680 IBM Tivoli Enterprise Portal Server Heap Overflow Threat Level: Severe Industry ID: CVE-2007-2137 Bugtraq: 23558 Signature Description: IBM Tivoli Monitoring in kde.dll is vulnerable to multiple heap-based buffer overflows, caused by improper bounds checking by Tivoli Universal Agent Primary Service, Monitoring Agent for Windows OS Primary, and Tivoli Enterprise Portal Server services.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 cookie-based authentication credentials or possibly obtain other sensitive information.This vulnerability only affects users running Firefox.In Adobe versions prior to 6, this vulnerability could allow remote code execution.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32689 HTTP Adobe Reader Plugin Open Parameters Cross-Site Scripting Threat Level: Severe Industry ID: CVE-2007-0045 CVE-2007-0044 Bugtraq: 21858 Signature Description: Adobe Acrobat Reader is software designed to view Portable Document Format (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow users to view PDF files inside of a web browser.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 remote attackers to crash the server and denying further communication. Currently we are not aware of any solutions for this issue. Signature ID: 32693 HTTP IE NDFXArtEffects Stack Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2006-3943 Bugtraq: 19184 Signature Description: A remote overflow exists in Internet Explorer, caused by a stack-based buffer overflow in the DXImageTransform.Microsoft.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.Since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32707 Microsoft Windows Media Player MIDI File Format DoS Threat Level: Severe Industry ID: CVE-2006-6602 Bugtraq: 21612 Signature Description: A vulnerability has been identified in Microsoft Windows Media Player, which could be exploited by attackers to cause a denial of service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 resuming broken uploads and downloads.Multiple input validation vulnerabilities in acFTP have been reported, which can be exploited by remote users to trigger denial of service conditions.The vulnerabilities are caused due to input validation errors when handling arguments passed to the REST and PBSZ commands.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the source code of server-side scripts, such as Active Server Pages (.ASP files).A remote attacker can send a file HTTP GET request that contains a specialized header ("Translate: f" ), and one of several particular characters at the end, to cause the Web server to send the source code of the file to the attacker.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32734 LanDesk AOLSRVR.EXE Overflow Threat Level: Severe Industry ID: CVE-2007-1674 Bugtraq: 23483 Signature Description: The specific flaw exists in the Alert Service listening on UDP port 65535. The Aolnsrvr.exe process accepts user-supplied data and performs an inline memory copy into a 268 byte stack-based buffer. Supplying additional data results in a buffer overflow and SEH overwrite.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32745 HTTP Apache Web Server Mod_Cache DoS (max-stale) Threat Level: Warning Industry ID: CVE-2007-1863 Bugtraq: 24649 Signature Description: Cache-Control header is used to signal how long a representation can be cached. mod_cache has a defect which can cause the httpd process to crash when cache is enabled and a maliciously formed Cache-Control request header is received.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 caused by a canonicalization vulnerability. The web.config file prevents access to files unless a user is properly authenticated. A remote attacker could use Mozilla and send a specially-crafted URL request containing a backslash (\) or use Microsoft Internet Explorer to send a request containing a URL encoded backslash (%5C) to bypass this authentication method and gain unauthorized access to the restricted resource.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Microsoft Speech API is a software package that provides text-to-speech and speech recognition capabilities. The Microsoft Speech API 4 includes ActiveX controls called ActiveListen and ActiveVoice, which are provided by Xlisten.dll and XVoice.dll, respectively. These ActiveX controls contain multiple buffer overflow vulnerabilities. By convincing a user to view a specially crafted HTML document (e.g.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 4XEMs products include a wide range of IP Camera and Network Cameras, Video Server and Accessory products. 4XEM VatDecoder VATDecoder.VatCtrl.1 ActiveX control (VATDecoder.dll version 1.0.0.27 and 1.0.0.51) is vulnerable to a stack based buffer overflow via long string url argument to .Url property. Successful exploitation allows remote attacker to execute arbitrary code with the privileges of victim.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 32991 Exploit 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability Threat Level: Warning Bugtraq: 28010 Signature Description: 4XEM Corporation markets a full line of IP (Internet Protocol) Network Video products. 4XEM's products include a wide range of IP Camera and Network Cameras, Video Server and Accessory products. 4XEM VatDecoder VATDecoder.VatCtrl.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 remote attacker to execute arbitrary code with the privilages of victim. No Remedy is Available as of Feb 2008. Alternatly user can set the kill bit for CLSID 210D0CBC-8B17-48D1-B294-1A338DD2EB3A. This signature detects traffic containing PROGID encoded in UTF encoding.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34007 WinZip FileView ActiveX Control Unsafe Method Exposure vulnerability Threat Level: Warning Industry ID: CVE-2006-5198 Bugtraq: 21060 Signature Description: The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a remote attacker to execute arbitrary code on the system. The FileView ActiveX control contains several unsafe methods and is marked "safe for scripting" and "safe for initialization".
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 containing specially-crafted VML records, a remote attacker could overflow a buffer and execute arbitrary code on the system with permissions of the victim, if the attacker could persuade the victim to open the malicious file.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash, if the attacker could persuade the victim to open the malicious file.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34077 MS Windows HTML Help HHCtrl ActiveX Control Memory Corruption Vulnerability Threat Level: Severe Industry ID: CVE-2006-3357 Bugtraq: 18769 Signature Description: Microsoft IE is vulnerable to a heap-based buffer overflow in the HTML Help ActiveX control (HHCtrl.ocx), caused by improper bounds checking of the 'Image' property.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34082 MS Windows HTML Help HHCtrl ActiveX Control Memory Corruption Vulnerability Threat Level: Severe Industry ID: CVE-2006-3357 Bugtraq: 18769 Signature Description: Microsoft IE is vulnerable to a heap-based buffer overflow in the HTML Help ActiveX control (HHCtrl.ocx), caused by improper bounds checking of the 'Image' property.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 property.A remote attacker could exploit this vulnerability to execute arbitrary code on the victim's system, By persuading a victim to visit a malicious Web page, containing %u encoded exploit data and if the victim is using an affected version of WinZip. User can set the kill bit for CLSID corresponding to the progid WZFILEVIEW.FileViewCtrl.61 or Upgrade to the latest version of WinZip (10.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 BA413F034904.Upgrade to the latest version of WinZip (10.0 Build 7245 or later), available from the WinZip Web site. Signature ID: 34100 IG Shop remote attackers execute arbitrary commands vulnerability Threat Level: Severe Industry ID: CVE-2007-0132 Bugtraq: 21874 Signature Description: IG Shop is a full powerful featured PHP MySQL based shopping cart system that enables you create an online shop quickly. iG Shop 1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 from another remote system by http or https or ftp (INC=http;//[target]/[path]/[maliciousfile] ).While executing this malicious file in our system the attacker can access what ever he wants as per the malicious code.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34109 Magic Photo Storage Website Multiple Remote File Inclusion vulnerability Threat Level: Severe Industry ID: CVE-2007-0182 Bugtraq: 21965 Signature Description: Magic Photo Storage Website contains a flaw that may allow a remote attacker to execute arbitrary commands. A remote attacker can send a specially-crafted URL request to approve_member.php, delete_member.php, list_members.php, membership_pricing.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 malicious file from another remote system by http or https or ftp. While executing this malicious file in our system the attacker can access what ever he wants as per the malicious code. Signature ID: 34115 LunarPoll (PollDir) Remote File Include Vulnerability Threat Level: Severe Industry ID: CVE-2007-0298 Bugtraq: : 22024,22024 Signature Description: A vulnerability was reported in LunarPoll 1.x.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 malicious file from another remote system by http or https or ftp. While executing this malicious file in our system the attacker can access what ever he wants as per the malicious code. Signature ID: 34120 Article System classes.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34124 AIOCP download_category SQL Injection1 . Threat Level: Warning Industry ID: CVE-2007-0223 Bugtraq: 22019 Signature Description: AIOCP (All In One Control Panel) is a powerful yet easy to use application for Web Site Management (Web Content Management System - CMS) and it is also suitable as a development framework for Webbased solutions. All In One Control Panel(AIOCP) version 1.3.009.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 exploited to manipulate SQL queries by injecting arbitrary SQL code. This signature detects attacks using SELECT or DELETE commands.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 with "id" parameter values, which could allow the attacker to view, add, modify or delete information in the back-end database. This signature detects attacks using insert, truncate, update SQL commands in query. Signature ID: 34134 Logitech VideoCall wcamxmp.dll ActiveX controls stack buffer overflow vulnerability Threat Level: Warning Industry ID: CVE-2007-2918 Bugtraq: 24254 Signature Description: Logitech VideoCall wcamxmp.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34140 Yahoo Messenger WebCam Upload ActiveX Control Send Method Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-3147 Bugtraq: 24354,24341 Signature Description: Yahoo Webcam is a component of Yahoo Messenger that allows users to chat via webcams over a network. Yahoo Webcam Upload includes an ActiveX control provided by the file ywcupl.dll. This ActiveX control (ywcupl.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34147 Yahoo Messenger WebCam Upload ActiveX Control Send Method Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-3147 Bugtraq: 24354,24341 Signature Description: Yahoo Webcam is a component of Yahoo Messenger that allows users to chat via webcams over a network. Yahoo Webcam Upload includes an ActiveX control provided by the file ywcupl.dll. This ActiveX control (ywcupl.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Module.It is provided by the file Spider.ocx or Spider90.ocx. This ActiveX control contains a stack buffer overflow in the ProgColor property.The target ActiveX Control is part of the Mercury Quality Center web application which runs on port 8080 by default.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 execute arbitrary code on the target system.The code will run with the privileges of the target user. A specially crafted 'ProgColor' parameter value can trigger the overflow. The vulnerability reportedly affects version 8.2 SP1 and 9.0.Patches available in HP Security Bulletin. Signature ID: 34155 HPMQC SPIDERLib ActiveX Control Buffer Overflow Vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 code in currently logged-in user context and overflow the buffer through NeoTraceLoader ActiveX control method.NeoTrace Express 3.25 and NeoTrace Professional 3.25 are vulnerable.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 victim to visit a specially-crafted web page that passes overly long arguments to the SetBgColor(), SetHREF(), SetMovieName(), SetTarget(), or SetMatrix() function, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the victim's browser to crash. No remedy is available as of February 2008.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 and the servers it manages. The Trend Micro ServerProtect 5.58 is vulnerable. The Information Server allows administrators to send and receive instructions from remote sites. The information server executable file (EarthAgent.exe) will run on TCP port 3628.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34218 Internet Explorer WebViewFolderIcon setSlice() Overflow vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 for Internet Explorer. This signature specifically detects when an attacker send malicious pattern using progid for this activex control. Signature ID: 34270 Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2006-4777 Bugtraq: 20047 Signature Description: DirectAnimation Path Control COM object (daxctle.ocx) for Internet Explorer 6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 WebViewFolderIcon ActiveX object, which leads to an invalid memory copy. By persuading a victim to visit a malicious Web page, containing hex encoded data attacker can execute the code or cause denial of service. Users are advised to set a killbit to the clsid corresponding to the progid WebViewFolderIcon.WebViewFolderIcon.1 to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34300 IPlanet GETATTRIBUTENAMES attempt Threat Level: Critical Industry ID: CVE-2001-0746 CVE-2001-0747 Bugtraq: 2732 Signature Description: Buffer overflow in Web Publisher in iPlanet Web Server Enterprise Edition 4.1 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a request for a long URI with (1) GETPROPERTIES, (2) GETATTRIBUTENAMES, or other methods.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 integer buffer overflow. With a unspecified length fields in openoffice TIFF directory entries user can overflow buffer. The vendor has fixed this issue in OpenOffice 2.3 version. Please visit the vendor URL for the updates. Exploit attempts of this vulnerability are detected using a combination of two signatures. This is the second signature and generates a log message. Signature ID: 34318 Adobe Multiple products .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34337 CA BrightStor ARCserve Backup LGSERVER.EXE buffer overflow Threat Level: Warning Industry ID: CVE-2007-0449 Bugtraq: 22340,22342 Signature Description: CA BrightStor ARCserve Backup is used for backing up and restoring data on remote and mobile Windows-based PCs. It automatically perform backups when disconnected from the network. Mobile Backup r4.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 persuading a victim to visit a specially-crafted Web page containing %u encoded exploit data. Set killbit to the ActiveX control clsid value as mentioned in Microsoft security bulletin.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 persuading a victim to visit a specially-crafted web page having UTF-16 encoded data. Set killbit to the clsid corresponding to the progid ACTIVEVOICEPROJECTLib.DirectSS to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34384 Subversion Date Parsing Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2004-0397 CVE-2004-0413 Bugtraq: 10386 Signature Description: Subversion is a version control project for all Linux and Unix-based operating systems. Subversion versions 1.0.2 and prior are vulnerable to the stack based buffer overflow.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 trigger this buffer overflow. Upgrade to Asterisk version 1.4.3, AsteriskNOW version beta 6 and Asterisk Appliance Developer Kit version 0.4.0 or higher to resolve this issue. Signature ID: 34388 Asterisk SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2007-2293 Bugtraq: 23648 Signature Description: Asterisk is the leading open source telephony engine and tool kit.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 resulting in a buffer overflow. A remote attacker can cause arbitrary code execution resulting in a loss of integrity. Upgrade the patch provided by oracle Corporation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. SSL provides communication security between two hosts. It provides integrity, authentication and confidentiality.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Internet-standard protocols(e.g IMAP, iCalendar, POP, SMTP), across a large enterprise, or to a large group of users who are not particularly associated. Novell Netmail, version <=3.52d, is a stack-based buffer overflow vulnerability. The issue is triggered when an attacker sending overly long string in a 'AUTHENTICATE GSSAPI' Command to the IMAP service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34454 3Com Network Supervisor Directory Traversal Threat Level: Warning Industry ID: CVE-2005-2020 Bugtraq: 14715 Signature Description: 3Com Network Supervisor is a network monitoring application which allows monitoring
services on multiple hosts. 3Com Network Supervisor (3Com Network Supervisior version 5.0.2) is a directory traversal vulnerability. By sending a GET request containing ..
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34459 Microsoft Office Web Components MSOWC.DLL ActiveX Control Buffer Overflow Threat Level: Warning Industry ID: CVE-2006-4695 Bugtraq: 28135 Signature Description: Functionality, such as spreadsheets, tables, and charts. These ActiveX controls are provided by the file MSOWC.DLL.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 string containing Null characters) via TCP on port 41523, a remote attacker could overflow a buffer and execute arbitrary code on the system. Signature ID: 34465 Microsoft IIS Malformed URL Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2005-4360 Bugtraq: 15921 Signature Description: Microsoft Internet Information Services (IIS) is a set of Internet-based services for servers using Microsoft Windows.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Language used by both Microsoft and Sybase. Microsoft SQL Server (Microsoft SQL Server version 7.0 through 7.0 SP3) are vulnerable to a denial of service attack. By sending an overly long string (above 700000 bytes) on TCP port 1433, a remote attacker could overflow a buffer and cause the server to crash. Signature ID: 34470 Oracle Database Server SDO_CS.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 servers. IBM Tivoli Storage Manager (IBM, Tivoli Storage Manager prior to 5.2.9 and prior to 5.3.4) are vulnerable to a buffer overflow. By processing the initial sign-on request contains a field to specify the language(dscenu.txt), the language sting is no longer than 100 bytes.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: McAfee WebShield SMTP is an anti-virus protection and content blocking software solution for the internet gateway. It can scan SMTP traffic without disrupting other systems such as firewalls or mail servers. McAfee WebShield SMTP acts as an SMTP server. McAfee WebShield SMTP (McAfee, WebShield SMTP 4.5 MR1a) is a format string vulnerability in the destination email address.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the system.Exploit attempts of this vulnerability are detected using a combination of two signatures. This is the second signature and generate a log message.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: IBM Lotus Domino LDAP Domino server software provides email, calender, scheduling and collaboration services. IBM Lotus Domino (IBM, Lotus Domino 6.5 and 7.0 versions) are vulnerable to a heap-based buffer overflow caused by the LDAP server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34499 Cisco IOS Show IP BGP Regexp Remote Denial of Service Vulnerability Threat Level: Severe Industry ID: CVE-2007-4430 Bugtraq: 25352 Signature Description: BGP (Border Gateway Protocol) is a protocol for exchanging routing information between gateway hosts in a network autonomous systems and is used between gateway hosts on the Internet. Cisco IOS ( Cisco IOS 12.0 through 12.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34519 HP Virtual Rooms client Buffer Overflow Vulnerabilities Threat Level: Severe Bugtraq: 27384 Signature Description: HP Virtual Rooms is a suite of online collaboration, training and support tools.HP uses an ActiveX control to install the Virtual Rooms client. The HP Virtual Rooms Install ActiveX control(HPVirtualRooms14 ActiveX control 1.0.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 user.No remedy available as of January 2008. Alternatively user can set the killbit for for the vulnerable ActiveX control's CLSID corresponding to the progid WebHPVCInstall.HPVirtualRooms14 to resolve this issue. Signature ID: 34523 HP Virtual Rooms client Buffer Overflow Vulnerabilities Threat Level: Severe Bugtraq: 27384 Signature Description: HP Virtual Rooms is a suite of online collaboration, training and support tools.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 as of January 2008.Alternatively user can set the killbit for for the vulnerable ActiveX control's CLSID 309F674DE4D3-46BD-B9E2-ED7DFD7FD176. Signature ID: 34527 Comodo AntiVirus 'ExecuteStr()' ActiveX Control Arbitrary Command Execution Vulnerability Threat Level: Warning Bugtraq: 27424 Signature Description: Comodo Antivirus is an antivirus solution for Microsoft Windows.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerable ActiveX control's CLSID C36112BF-2FA3-4694-8603-3B510EA3B465. This signature detects traffic using the vulnerable CLSID. Signature ID: 34531 Lycos File Upload ActiveX Control Buffer Overflow Threat Level: Severe Bugtraq: 27411 Signature Description: The Lycos File Upload ActiveX is provided by Lycos to ease file uploads to Lycos services.Lycos FileUploader Module FileUploader.dll version 2.0.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 C36112BF-2FA3-4694-8603-3B510EA3B465. This signature detects attack traffic using the vulnerable PROGID in UTF encoding. Signature ID: 34535 Macrovision FLEXnet Connect ActiveX Control Multiple Arbitrary File Download Threat Level: Severe Bugtraq: 27279 Signature Description: Macrovision FLEXNet Connect allows software distributors and vendors the ability to automatically deliver software and notify users of updates.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34539 Macrovision FLEXnet Connect ActiveX Control Multiple Arbitrary File Download Threat Level: Severe Bugtraq: 27279 Signature Description: Macrovision FLEXNet Connect allows software distributors and vendors the ability to automatically deliver software and notify users of updates. Part of its functionality is provided by an ActiveX control.Macrovision FLEXNet Connect ActiveX control(FLEXnet Connect 6.1.100.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 privileges of the current user. Alternatively user can set the killbit for the vulnerable ActiveX control's CLSID corresponding to the progid MSVNClientDownloadManager61Lib.DownloadManager.1 to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34547 Macrovision FLEXnet Connect ActiveX Control Multiple Arbitrary File Download1 Threat Level: Severe Bugtraq: 27279 Signature Description: Macrovision FLEXNet Connect allows software distributors and vendors the ability to automatically deliver software and notify users of updates. Part of its functionality is provided by an ActiveX control.Macrovision FLEXNet Connect ActiveX control(FLEXnet Connect 6.1.100.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34551 Crystal Reports 'EnterpriseControls.dll' ActiveX Control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-CVE-2008-0379 Bugtraq: 27333 Signature Description: Crystal Reports' is a popular third party package that is included with Visual Basic, which allows to create reports for your application.Part of functionality is provided by an ActiveX control.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34557 AOL Radio AmpX ActiveX Control Buffer Overflow Threat Level: Severe Industry ID: CVE-CVE-2007-5755 Bugtraq: 26396 Signature Description: AOL Radio is a streaming media service from AOL. Part of its functionality is implemented as an ActiveX control.AOL Radio activeX control (AmpX ActiveX Control 2.6.1.11) is vulnerable to a buffer overflow via AppendFileToPlaylist.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34561 AOL Radio AmpX ActiveX Control Buffer Overflow Threat Level: Severe Industry ID: CVE-CVE-2007-5755 Bugtraq: 26396 Signature Description: AOL Radio is a streaming media service from AOL. Part of its functionality is implemented as an ActiveX control.AOL Radio activeX control (AmpX ActiveX Control 2.6.1.11) is vulnerable to a buffer overflow via AppendFileToPlaylist.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 language. Microsoft visual foxpro(Microsoft Visual FoxPro version 6.0) is vulnerable to arbitrary command execution via foxcommand and Docmd methods.Successfully exploiting would allow an attacker to execute arbitrary code with the privileges of the current user.Alternatively user can set kill bit for Activex control CLSID A7CD2320-6117-11D78096-0050042A4CD2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34571 Gateway Web Launch ActiveX Control buffer overflow Vulnerabilities Threat Level: Warning Bugtraq: 27193 Signature Description: The Gateway Web Launch ActiveX control is used to provide troubleshooting and launch services to users of Gateway computers. It is installed by default on many Gateway systems.Gateway web launch activeX (Gateway Web Launch 1.0.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 services to users of Gateway computers. It is installed by default on many Gateway systems. Gateway web launch activeX (Gateway Web Launch 1.0.0.1) is vulnerable to a buffer overflow via DoWebLaunch method. Successfully exploiting would allow an attacker to execute arbitrary code with the privileges of the current user.Alternatively user can set kill bit for Activex control CLSID corresponding to the progid WebLaunch.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34580 MySpace Uploader "MySpaceUploader.ocx" ActiveX Control Buffer Overflow Threat Level: Severe Industry ID: CVE-CVE-2008-0660 Bugtraq: 27533 Signature Description: MySpace Uploader is image uploader tool,Using myspace uploader. myspace can upload images in server.Myspace uploader ActiveX control(MySpaceUploader ActiveX control 1.0.0.4 and MySpaceUploader ActiveX control 1.0.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 ActiveX control CLSID 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0. This signature detects when an attacker try to exploit the FaceBook's Image Uploader activex control by using CLSID and any one of the ExtractExif or ExtractIptc method. Signature ID: 34584 Facebook Photo Uploader 4 ImageUploader4.1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34588 Aurigma Image Uploader 'ImageUploader4.ocx' ActiveX Control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-CVE-2008-0660 Bugtraq: 27539 Signature Description: Aurigma Image Uploader ActiveX Control lets users manage and upload images to a server.Aurigma image uploader activex control(Image Uploader version 4.5.70.0) is vulnerable to a buffer overflow via action property.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34592 Aurigma Image Uploader 'ImageUploader4.ocx' ActiveX Control Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-CVE-2008-0660 Bugtraq: 27539 Signature Description: Aurigma Image Uploader ActiveX Control lets users manage and upload images to a server.Aurigma image uploader activex control(Image Uploader version 4.5.70.0) is vulnerable to a buffer overflow via action property.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 provided by ActiveX controls, mediagrid.dll. Yahoo Jukebox Activex Control(Yahoo! Music Jukebox 2.2) is vulnerable to a buffer overflow via addbitmap method. A malicious web page containing UTF-16 encoded data, that instantiated by control could trigger vulnerability, allowing an attacker to execute arbitrary code with the privileges of the current user.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34638 IBM Domino Web Access 'dwa7w.dll' ActiveX Control Buffer Overflow Threat Level: Severe Industry ID: CVE-2007-4474 Bugtraq: 26972 Signature Description: Buffer overflow in General_ServerName Property of dwa7w.dll of IBM Lotus Domino Web Access ActiveX Control.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 send specially crafted username value to trigger a buffer overflow in the CRAM-MD5 authentication mechanism and cause the target IMAP service to crash or execute arbitrary code.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34704 Macromedia Flash Flash8b.OCX ActiveX Control Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-CVE-2006-6827 Bugtraq: 21818 Signature Description: Macromedia Flash player is a player for the Flash media format and enables frame-based animations with sound to be viewed within a web browser. The Macromedia Flash activex control (Macromedia Flash 8.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34708 EnjoySAP rfcguisink.rfcguisink.1 ActiveX Control Heap-based Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2007-3606 Bugtraq: 24777 Signature Description: EnjoySAP, is the SAP GUI client in SAP R/3's 3-tier architecture of database, application server and client.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 EnjoySAP rfcguisink.rfcguisink.1 ActiveX control is vulnerable to a heap-based buffer overflow. The issue occurs when processing overly long arguments (>180bytes) passed to the LaunchGui() method. By persuading the victim to visit a specially-crafted Web page containing hex encoded data, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the browser to crash.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Web page, a remote attacker could execute arbitrary code on the system with the privileges of the victim. Update the latest version available from vendors web site. Alternatively user can set the kill bit for CLSID CA8A9780-280D11CF-A24D-444553540000. Signature ID: 34716 Adobe Reader AcroPDF.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34720 Microsoft Windows DNS Server RPC Interface Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2007-1748 Bugtraq: 23470 Signature Description: Microsoft Windows DNS Server service is a domain name service daemon included with Windows 2000, XP, 2003, and Vista. The Microsoft Windows Domain Name System (DNS) Server is vulnerable to a stack-based buffer overflow in the RPC interface.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 transaction function, possibly related to an SMB PIPE. Update the patches available from vendors web site. This signature detects using the port 445/TCP. Signature ID: 34725 Microsoft Windows srv.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 heap based buffer overflow. By sending a specially crafted packet, an attacker can overflow the buffer leading to arbitrary code execution. Update the patches available from vendors web sit.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 request to the SpntSvc.exe service on TCP port 5168, a remote attacker could overflow a buffer and execute arbitrary code on the vulnerable system with SYSTEM privileges. This vulnerability is fixed. Apply the patch for this vulnerability(Security Patch 4 - Build 1185), available from the Trend Micro Web site. This signature specifically detects if an attacker could send malicious pattern along with UUID.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 using the COM runtime, developers can create software components that perform a particular function or a set of functions. Many Microsoft Windows applications including many of those from Microsoft such as Internet Explorer, Microsoft Office, Microsoft Visual Studio, Windows Media Player use ActiveX controls to build their feature set as well as encapsulate their functionality with ActiveX controls.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34761 McAfee Security Center MCINSCTL.DLL ActiveX Control File Overwrite vulnerability Threat Level: Severe Industry ID: CVE-2005-3657 Bugtraq: 15986 Signature Description: McAfee VirusScan is a commercially available virus scanning product for the Microsoft Windows platform. Security Center is a component that combines various security protection applications. It ships with McAfee VirusScan.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 client applications to include several different sources of data in one transaction and which then coordinates committing the distributed transaction across all the servers that are enlisted in the transaction.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34772 Cisco IOS HTTP Service HTML Injection Vulnerability Threat Level: Severe Industry ID: CVE-2005-3921 Bugtraq: 15602 Signature Description: The Cisco IOS Web browser interface allows configuration and monitoring of a router or access server using any web browser. This feature was introduced in IOS 11.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Windows versions is affected only if COM objects have been enabled by the ActiveX opt-in feature.Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects from (1) Msb1fren.dll, (2) Htmlmm.ocx, and (3) Blnmgrps.dll as ActiveX controls, which allows remote attackers to execute arbitrary code via unspecified vectors. This signature detects if an attacker try to exploit Blnmgrps.dll.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. IPv4 is the dominant network layer protocol on the Internet. The creators of IPv4 included the ability to add options that provide additional flexibility in how IP handles datagrams. The IP datagram may contain zero or more options, which makes the total length of the Options field in the IP header variable.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 different types of IPv4 packets containing a specially crafted IP option. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on an affected device or create a denial-of-service condition. This signature detects attack vectors on Pragmatic General Multicast packets.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 routers and switches. The Cisco Network Services (CNS) NetFlow Collection Engine (NFC) contains a default password. Cisco Network Services (CNS) NetFlow Collection Engine (NFC) before 6.0 is vulnerable to a gain access. A successful exploitation of this issue will allow an attacker to modify the application configuration and gain user access to the target host operating system. This issue is fixed in 6.0 or later version.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 X-MICROSOFT-CDO-MODPROPS properties in which the second MODPROPS is longer than the first, which triggers a NULL pointer deference and an unhandled exception. This issue is resolved and fix's are available at vendors web site.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 SetMovieName(), SetTarget(), or SetMatrix() function, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the victim's browser to crash. No remedy is available as of February 2008. Alternately user can disable this ActiveX by setting a kill bit. This signature detects attacks using PROGID and %HH encoding. Signature ID: 34807 Apple QuickTime QTPlugin.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 in web pages. QTPlugin.ocx version 7.4.1 and prior is vulnerable to a stack-based buffer overflow.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Signature ID: 34815 SmE FileMailer index.php SQL Injection Vulnerability Threat Level: Warning Industry ID: CVE-2007-0339 Signature Description: SMe FileMailer is a script based on php which allow visitors to submit their name and email address in order to retrieve a file from your site.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 PHP/MySQL/Smarty. e-Ark supports both Linux/Windows. e-Ark e-Ark 1.0 is vulnerable,src/ark_inc.php in e-Ark 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the cfg_pear_path parameter.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34826 Cisco Phone 7940 remote DOS Threat Level: Severe Industry ID: CVE-2007-5583 Bugtraq: 26711 Signature Description: SIP is a protocol part of VoIP devices(IP phones). SIP is an ASCII based INVITE message is used to initiate and maintain a communication session. An attacker generates the SIP INVITE transactions to victim, that lead the device to crash, i.e.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 uri filled of SIP INVITE packet. Attacker could manipulate victim's valuable information. Patches are available at asterisk website. This signature triggers when an attacker send request by using the UDP service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 message to initiate session. After a particular packet sequence is processed by the phone, the phone user cannot operate the phone unless it is rebooted. The sequence of messages consists of 2 different SIP Dialogs: The first initiates an INVITE transaction but immediately closes it (in an anticipated manner). While, the second transaction initiates a normal INVITE transaction that trigger the vulnerability of the target.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34853 Remote eavesdropping with SIP Phone GXV-3000 vulnerability Threat Level: Warning Industry ID: CVE-2007-4498 Bugtraq: 25399 Signature Description: Grandstream Networks is a leading designer and manufacturer of innovative, affordable, and high quality IP voice and video products for the worldwide broadband telephony market. Grandstream SIP Phone GXV-3000 with firmware 1.0.1.7, Loader 1.0.0.6, and Boot 1.0.0.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 This signature particularly for messages from UAS to UAC when the device using UDP for transport. No remedy is available. Signature ID: 34858 DOS vulnerability on Thomson SIP phone ST 2030 using the VIA Header Threat Level: Warning Industry ID: CVE-2007-4553 Bugtraq: 25446 Signature Description: Thomson ST2030 IP Phone is a hardphone, which uses the Session Initiation Protocol (SIP) protocol.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34862 DOS vulnerability on Thomson SIP phone ST 2030 using the To Header Threat Level: Warning Industry ID: CVE-2007-4753 Signature Description: Thomson ST2030 IP Phone is a hardphone, which uses the Session Initiation Protocol (SIP) protocol. It will send an INVITE message which is used to initiate and maintain a communication session.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 daemon process, the bpcd(bpcd.exe) daemon listens on 13782/tcp. VERITAS NetBackup versions 5.0 and 6.0 are vulnerable. The NetBackup bpcd daemon fails to properly validate commands. Netbackup service (bpcd.exe) when parsing CONNECT_OPTIONS requests can be exploited to cause a stack-based buffer overflow via an overly long request. Patches are available.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerable, an attacker could exploit this vulnerability against Internet Explorer using a specially crafted web site. Set kill bit to the clsid adb880a6-d8ff-11cf-9377-00aa003b7a11 to resolve this issue. Signature ID: 34871 Microsoft Windows HTML Help Control Cross-Zone Scripting Vulnerability Threat Level: Severe Industry ID: CVE-2004-1043 Bugtraq: 11467 Signature Description: The HTML Help ActiveX control (Hhctrl.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34875 Microsoft Windows HTML Help Control Cross-Zone Scripting Vulnerability Threat Level: Warning Industry ID: CVE-2004-1043 Bugtraq: 11467 Signature Description: The HTML Help ActiveX control (Hhctrl.ocx) provides a rich feature set for help systems. Key features includes an expanding table of contents, keyword search, shortcuts, and pop-up help topics.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34879 Symantec Products SupportSoft SmartIssue ActiveX Control Remote Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2006-6490 Bugtraq: 22564 Signature Description: SupportSoft Inc. develops a product called Self-Service Suite which aims to help end users solve technical problems on their own. SupportSoft products 6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attacker could overflow a buffer and cause the victim's browser to crash or possible execute arbitrary code on the system with privileges of the victim. Users are advised to set kill bit to the clsid 01010e00-5e80-11d8-9e860007e96c65ae to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attacker could overflow a buffer and cause the victim's browser to crash or possible execute arbitrary code on the system with privileges of the victim. Users are advised to set kill bit to the clsid to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 solve technical problems on their own. SupportSoft products 6.x and prior versions are vulnerable, which are included with multiple Symantec products, are vulnerable to multiple buffer overflows.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The IMA service is used by Citrix Presentation Server for inter-sever and management communications. Citrix Presenation Server 4.0 version is vulnerable, this vulnerability allows attackers to execute arbitrary code, authentication is not required to exploit this vulnerability. The specific flaw exists within the routine IMA_SECURE_DecryptData1() defined in ImaSystem.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 will occur. The ARJ archive file format is too flexible, especially in the file name field in the local header. This file name is stored as a null-terminated string and limited only by the overall size of the local header (local header size is stored as a 16-bit value and is limited to 2,600 bytes only).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34917 GNU Radius SQL Accounting Format String Vulnerability Threat Level: Warning Industry ID: CVE-2006-4181 Bugtraq: 21303 Signature Description: The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 create a specially crafted AIM URL that, when loaded by the target user, will trigger a format string flaw and cause the iChat application to crash or execute arbitrary code. Patches are available at apple website. Signature ID: 34923 Microsoft ASP.NET Application Folder Information Disclosure vulnerability Threat Level: Warning Industry ID: CVE-2006-1300 Bugtraq: 18920 Signature Description: The Microsoft .
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Java Web Start is a framework developed by Sun Microsystems which allows application software for the Java Platform to be started directly from the Internet using a web browser. Java Web Start in Sun JDK and JRE 6 Update 4 and earlier are vulnerable. There exists a stack based buffer overflow vulnerability. The vulnerability is due to improper bounds checking while handling XML based JNLP files.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 modules can be used to extend the functionality of the Apache web server. The module mod_tcl 1.0 version is vulnerable, it allows Apache to run TCL scripts natively. By sending a malformed packet, a remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the httpd process. Patches are available at apache website.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 34939 Cisco IOS Misformed BGP Packet Causes Reload vulnerability Threat Level: Warning Industry ID: CVE-2005-0196 Signature Description: The Border Gateway Protocol (BGP) is a routing protocol, it designed to manage IP routing in large networks. Cisco devices running on Cisco Internetworking Operating System Software (IOS) versions 9.x, 10.x, 11.x and 12.x are vulnerable.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 could execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions. This issue occurs because the application fails to sanitize user-supplied input to the "TransferFile" method. Vulnerability is Reportedly fixed in SecureTransport Server 4.6.1 Hotfix 20.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35008 LEADTOOLS Multimedia 'LTMM15.DLL' ActiveX Control Arbitrary File Overwrite Vulnerability Threat Level: Severe Industry ID: CVE-2008-1605 Bugtraq: 28442 Signature Description: LEAD Technologies is the supplier of imaging development SDKs.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35025 Microsoft Windows Plug and Play Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2005-1983 Bugtraq: 14513 Signature Description: The Plug and Play service is a Windows DCE-RPC service that is designed to handle device installation, configuration, and notification of new devices.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 this vulnerability. On Windows XP Service Pack 1, only an authenticated user could remotely try to exploit this vulnerability. On Window XP Service Pack 2 and Windows Server 2003, only an administrator can remotely access the affected component. Administrators are advised to patch the system as specified in MS05-039 bulletin. Exploit attempts of this vulnerability are detected using a combination of nine signatures.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 installation, configuration, and notification of new devices. For example, when a new mouse is installed on the system, PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the new mouse. Microsoft Windows Plug and Play is prone to a buffer overflow vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35034 Microsoft Windows Print Spooler Service Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2005-1984 Bugtraq: 14514 Signature Description: The Print Spooler service spoolsv.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 function to overwrite previously freed memory, as demonstrated using a SPNEGO token with a constructed bit string during HTTP authentication. Microsoft Windows NT, Windows 2000, Windows XP, and Windows Server 2003 are vulnerable to heap corruption in Microsoft's implementation of the Abstract Syntax Notation 1 (ASN.1) Library. Apply the appropriate patch, available in Microsoft Security Bulletin MS04-007 for resolving the issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 detected using a combination of two signatures. This is the second signature and generate a log message. This signature detects using on TCP port 2103. Sometimes the remote user attack this service using on TCP Ports 2101, 2105, 2107.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 execute arbitrary code in the context of the server, facilitating unauthorized access to the affected computer. Alt-N MDaemon 8.03 is reported to be vulnerable. Other versions are likely affected as well.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35058 NullSoft Winamp .WSZ File Remote Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2004-0820 Bugtraq: 11053 Signature Description: Winamp is a music player for Microsoft Windows, developed by Nullsoft. Winamp uses .b4s files to store MP3 file play lists in XML format. Winamp versions 3.0 and 5.0 through 5.04 could allow a remote attacker to execute arbitrary code on the system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35062 Microsoft Visual FoxPro 'vfp6r.dll' ActiveX Control Arbitrary Command Execution with foxcommand() method Threat Level: Severe Industry ID: CVE-2008-0236 Bugtraq: 27205 Signature Description: The Microsoft FoxServer ActiveX control (vfp6r.dll) could allow a remote attacker to execute arbitrary commands on the system, caused by the use of the insecure foxcommand() function.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35067 Oracle Database 8i/9i Multiple Remote Directory Traversal Vulnerabilities Threat Level: Warning Industry ID: CVE-2005-0297 Signature Description: Oracle Database server is reported prone to multiple directory traversal vulnerabilities that may allow a remote attacker to read, write, or rename arbitrary files with the privileges of the Oracle Database server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 request that contains multiple 'Content-Length' values in an invalid HTTP header.A remote attacker may exploit this issue to launch cache poisoning or content-restriction bypass attacks against the affected server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35077 Microsoft Internet Explorer Frame Injection Vulnerability Threat Level: Warning Industry ID: CVE-2004-0719 Signature Description: A vulnerability in many popular Web browsers, including Netscape and Internet Explorer, allows a malicious Web site operator to trick a user into entering possibly compromising information.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 object.documentElement.outer HTML property. An attacker could exploit this vulnerability by creating a speciallycrafted Web page, and persuading a potential victim to visit the page or sending it to a potential victim as an email attachment.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35087 Microsoft DirectX SAMI File Parsing Code Execution Threat Level: Severe Industry ID: CVE-CVE-2007-3901 Bugtraq: 26789 Signature Description: DirectX is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. This vulnerability exists in the DirextShow SAMI parser, which is implemented in quartz.dll.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35093 Microsoft Internet Explorer OnBeforeUnload JavaScript Address Bar Spoofing Threat Level: Severe Industry ID: CVE-CVE-2007-3826 Bugtraq: 24911 Signature Description: The vulnerability is caused due to an error in the handling of the "document.open()" method and can be exploited to spoof the address bar if e.g.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 remote users with two different authentication schemes. Type1 is without username and password, Type2 is with username and password. In typical scenario after establishing tcp connection server sends it Protocol version to the client. Client replies with its protocol, after this server sends allowed schemes as an array of bytes.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35106 Attribute breaking injections and evasion techniques on attributes Threat Level: Severe Bugtraq: 29025,29191 Signature Description: Remote Attackers bypass security systems by breaking attribute value with some special characters causing admin access on the target system. This rule detects html breaking statements followed with html tags found in the http request lines.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35112 Unicode or Octal or Hex representation of attribute values detected(Possible evasion) Threat Level: Severe Signature Description: Most of the Attackers uses Unicode or hex or octal representation of attacking and to bypass the IPS signatures, This Rule hits when octal character, Unicode, hex code is transferring to the internal systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 dynamically. Scripting language can be javascript, vbscript etc,. Attacker injects miscellaneous DOM Properties and methods to manipulate HTML Document at the client side. Signature ID: 35119 Typical Script functions Possible evasion Threat Level: Severe Bugtraq: 29025,29191,29571,29574 Signature Description: This rule hits when downloaded document contains typical script functions like exec.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35125 Advanced Cross-Site-Scripting with script and constructors Threat Level: Severe Signature Description: Script and constructor functions are used to provide facility to add user defined functions. Attacker uses these functions to inject cross site script.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35138 HTTP request line with sql comment statements Threat Level: Severe Signature Description: This rule hits when http request attribute value consists of sql comments. Attacker uses this techniques to bypass validations on the server side. , most of the database systems allows comment statements in the query. Attacker make use of this functionality to bypass authentications.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35143 SQL Injection Attempt using MySQL Inline-Comments, Conditions and Integers Injection using char function Threat Level: Severe Signature Description: Attackers can inject MySQL Comments to bypass security, ignore the remaining part of the MySQL statements at server-side, and inject their own MySQL statements. Attackers can add their own MySQL statements by passing tautological conditions to the server.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35148 SQL Injection login bypass attempt Threat Level: Severe Bugtraq: 29025,29574 Signature Description: Remote Attackers bypass login page and gets admin access by combining embedded tautology conditions like HAVING “A” with post data filelds like admin,id. If attack is succeeded attackers gains admin access on the target system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35154 MySQL User defined function Injection and Modification attempts on Existing data Threat Level: Severe Signature Description: MySQL Allows user defined functions, Attackers injects functions with the same as existing functions causing naming collisions. Successful attempt causes MySQL Application to crash.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35161 Php code injection attempt Threat Level: Severe Signature Description: This rule hits when http request line consists of php delimiting statements. Attackers may inject php delimiting statements to cause abnormal code embedded php statements.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35168 Apache scoreboard shared memory and DoS attacks Threat Level: Severe Signature Description: The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35202 IBM Tivoli Provisioning Manager for OS Deployment HTTP Server Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2008-0401 Bugtraq: 27387 Signature Description: IBM Corp.'s Tivoli Provisioning Manager for OS Deployment is a network boot server that facilitates central management of networked workstations.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the cgiABLogon.exe CGI module, which can be exploited to cause the PolicyServer.exe service to terminate for a number of seconds. Patches are available for this issue. This signature detects when the attacker sending an overly long "PWD" parameter or "TMLogonEncrypted" parameter.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35209 Cisco Secure Access Control Server for Windows User-Changeable Password Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2008-0532 Bugtraq: 28222 Signature Description: Cisco Secure Access Control Server (ACS) is an access policy control platform that helps to comply with growing regulatory and corporate requirements.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 improper bounds checking in the Client Acceptor Daemon dsmcad.exe which runs on TCP port 1581 by default. If the Client Acceptor Daemon (CAD) is used with either the Web GUI or with CAD-managed scheduling, a remote attacker could send a malicious HTTP request with Host field contains a large string that could overflow a buffer and execute arbitrary code on the system or cause the client to crash.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35218 IBM eGatherer ActiveX Code Execution Vulnerability Threat Level: Severe Industry ID: CVE-2006-4221 Bugtraq: 19554 Signature Description: A stack-based buffer overflow in the IBM Access Support eGatherer ActiveX control before 3.20.0284.0 allows remote attackers to execute arbitrary code via a long filename parameter to the RunEgatherer method.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35223 Microsoft Rich Text Box ActiveX Control Arbitrary File Overwrite Vulnerability Threat Level: Severe Industry ID: CVE-2008-0237 Bugtraq: 27201 Signature Description: The Microsoft Rich Text Box ActiveX control provides a user interface widget for editing Rich Text Format (RTF) documents. Microsoft rich text box activex control(Microsoft Rich Textbox Control 6.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Microsoft Rich Text Box ActiveX control provides a user interface widget for editing Rich Text Format (RTF) documents. Microsoft rich text box activex control(Microsoft Rich Textbox Control 6.0) is vulnerable to arbitary files overwrite via insecure savefile method.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 SecurityGateway.dll user can cause stack-based buffer overflow. Successful exploitation allows attacker to execute arbitrary code. Vendor has provided patch to resolve this issue. Please see the references.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 handling RTSP replies. By sending a specially crafted reply containing an overly-long "Reason-Phrase" user can execute arbitrary code in the victim system. Patch is available to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 exploited by sending large number of CWD commands to vsftp daemon with deny_file configuration option in /etc/vsftpd/vsftpd.conf or the path where FTP server is installed.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 memory corruption vulnerability. By sending an specially crafted image that, when loaded by the target user, will invoke the 'dxtmsft.dll' ActiveX control and trigger a memory corruption error to execute arbitrary code on the target system. The code will run with the privileges of the target user. Vendor has provided patches to resolve this issue. Update the latest version available from vendors web site.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 commonly abbreviated to IE, is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. MSIE versions 5.01, 6, 6 SP1, 7 are vulnerable to this memory corruption vulnerability. By sending an specially crafted image that, when loaded by the target user, will invoke the 'dxtmsft.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 issue can result in arbitrary code execution or cause the application to crash. Update to version 4.5 Service Pack 2, available from the HP Web site. Please see vendor's advisory for more details. This signature detects attacks on TCP port 1106.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35261 Double-Take negative vector field value Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2008-0975 Bugtraq: 27951 Signature Description: Double-Take for Windows from Double-Take Software makes data replication and recovery easy by providing real-time backup and automatic failover capabilities for physical and virtual servers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 distributed under the HP StorageWorks Storage Mirroring is vulnerable to denial of service attack. This vulnerability is caused due to large vector value sent to the server via on UDP port 1105. No patch information is available to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 method. This method accepts one parameter, the specified file name for the eGatherer log output. By filling the single parameter with a large string, a straight stack overflow occurs. Signature ID: 35270 Visual Basic Enterprise Edition SP6 vb6skit.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 and marketing brochures. The content managed may include computer files, image media, audio files, electronic documents, and Web content. Anata CMS 1.0b5 is vulnerable to sql injection attack. By sending a specially crafted request for change.php file using POST method user can inject code into form, and attacker can execute your account with administrator privileges.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerable system when a user visits malicious website, and also causes memory corruption via overly long arguments. No remedy available as of July 6, 2008, user can set killbit to the clsid D2797899-BE27-4CDB-892F-4FDC26EA9BA9 to resolve this issue. Signature ID: 35278 Black Ice Barcode SDK BIDIB.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35281 Black Ice Barcode SDK BIDIB.ocx ActiveX control code execution Vulnerability Threat Level: Severe Industry ID: CVE-2008-2683 CVE-2008-2684 Signature Description: The Black Ice Barcode Reading SDK/ActiveX toolkit is a robust and efficient library 2D DataMatrix barcoding function. It is used for reading/decoding, searching barcodes, and detecting barcode orientation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 DataMatrix barcoding function. It is used for reading/decoding, searching barcodes, and detecting barcode orientation. DataMatrix barcodes can store large amounts of data in a small symbol, up to a maximum 3,116 Digits or 2,335 ASCII characters. Using DataMatrix barcodes, developers can eliminate database information retrieval, and can simply read all account details from the DataMatrix barcode symbol itself. Black Ice, BITiff.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35288 Black Ice Barcode SDK BITiff.ocx ActiveX control buffer overflow Vulnerability Threat Level: Warning Industry ID: CVE-2008-2693 Signature Description: The Black Ice Barcode Reading SDK/ActiveX toolkit is a robust and efficient library 2D DataMatrix barcoding function. It is used for reading/decoding, searching barcodes, and detecting barcode orientation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 characters. Using DataMatrix barcodes, developers can eliminate database information retrieval, and can simply read all account details from the DataMatrix barcode symbol itself. Black Ice, BITiff.ocx in Barcode SDK 5.01 is vulnerable to stack based buffer overflow vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35295 Black Ice 'BiAnno.ocx' Annotation SDK ActiveX Control Remote Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2008-2745 Bugtraq: 29635 Signature Description: The Black Ice Barcode Reading SDK/ActiveX toolkit is a robust and efficient library 2D DataMatrix barcoding function. It is used for reading/decoding, searching barcodes, and detecting barcode orientation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35300 Oracle Application Server Web Cache Heap Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2004-0385 Bugtraq: 9868 Nessus: 12126 Signature Description: The Oracle Web Cache is useful for caching static and dynamic content generated from Oracle Application web servers thus reducing the bandwidth usage, server load. The Oracle9i Application Server Web Cache versions 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35304 Adobe Reader AcroPDF.dll ActiveX denial of service vulnerability Threat Level: Severe Industry ID: CVE-2006-6027 Bugtraq: 21813 Signature Description: Adobe Acrobat is a family of computer programs developed by Adobe Systems, designed to view, create, manipulate and manage files in Adobe's Portable Document Format. Adobe Reader 7.0.8.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 overwrite arbitrary files on the system. Remote attacker can send a specially-crafted desname parameter to overwrite any files on the application server. Apply the critical patch update released in Jan 2006 by Oracle. This signature detects attacks using %HH encoding and attack packets sending to the range of 7777-7787.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 listed in Oracle Security Alert #66. This signature detects attack traffic containing COPY, DELETE, GET, HEAD or LOCK methods. Signature ID: 35316 Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability Threat Level: Severe Signature Description: Secure Shell Handler or SSH is a network protocol that allows data to be exchanged using a secure channel between two computers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35319 Cisco Secure ACS for Windows NT Server Denial of Service Vulnerability Threat Level: Severe Industry ID: CVE-2000-1054 Bugtraq: 1705 Signature Description: Cisco Secure Access Control Server (ACS) is an access policy control platform.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35322 Cisco IOS SNMP Message Processing vulnerability Threat Level: Warning Industry ID: CVE-2004-0714 Bugtraq: 10186 Signature Description: The Simple Network Management Protocol (SNMP) defines a standard mechanism for remote management and monitoring of devices in an Internet Protocol (IP) network. A device or host that supports SNMP is an SNMP entity.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35325 Cisco IOS SNMP Message Processing vulnerability Threat Level: Warning Industry ID: CVE-2004-0714 Bugtraq: 10186 Signature Description: The Simple Network Management Protocol (SNMP) defines a standard mechanism for remote management and monitoring of devices in an Internet Protocol (IP) network. A device or host that supports SNMP is an SNMP entity.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35333 Cisco IOS FTP Server Vulnerability Threat Level: Critical Industry ID: CVE-2007-2586 Bugtraq: 23885 Signature Description: File Transfer Protocol (FTP) is a network protocol used to transfer data from one computer to another through a network, such as the Internet.CISCO IOS is the operating system used on the vast majority of Cisco Systems routers and all current Cisco network switches.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available. It is used by many operating systems and network devices to reduce development time. OpenSSL 0.9.6 before 0.9.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 OpenSSL library in a variety of computer languages are available. It is used by many operating systems and network devices to reduce development time. OpenSSL 0.9.6 before 0.9.6d do not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. CISCO IOS is the operating system used on the vast majority of Cisco Systems routers and all current Cisco network switches.Linux is the name of a Unix-like computer operating system. Many versions of Linux and Cisco IOS suffer from this vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 network switches.Linux is the name of a Unix-like computer operating system. Many versions of Linux and Cisco IOS suffer from this vulnerability.This signature detects non SSL traffic over TCP port 995 (pop3s - pop3protocol over TLS/SSL) which is known to be used for SSL communication.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 suffer from this vulnerability.This signature detects non SSL traffic over TCP port 684 (CORBA IIOP SSL) which is known to be used for SSL communication.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The Simple Network Management Protocol (SNMP) is a protocol used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. It consists of a set of standards for network management, including an Application Layer protocol, a database schema, and a set of data objects. SNMPv3 is defined by RFCs 3411 to 3418.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 contains it's first byte as carriage return character. Repeated attacks could result in an extended denial of service condition. This signature detects any packet to port 7161 containing first byte as carriage return.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35401 Cisco IOS IPv4 Packet Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2003-0567 Bugtraq: 8211 Signature Description: Cisco IOS (Internetwork Operating System) is the software used on the Cisco System routers and Cisco network switches. IOS is a package of routing, switching, inter networking and telecommunications functions. It is integrated with a multitasking operating system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35405 Cisco IOS IPv4 Packets Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2003-0567 Bugtraq: 8211 Signature Description: Cisco IOS (Internetwork Operating System) is the software used on the Cisco System routers and Cisco network switches. IOS is a package of routing, switching, inter networking and telecommunications functions. It is integrated with a multitasking operating system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35409 Cisco IOS IPv4 Packets Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2003-0567 Bugtraq: 8211 Signature Description: Cisco IOS (Internetwork Operating System) is the software used on the Cisco System routers and Cisco network switches. IOS is a package of routing, switching, inter networking and telecommunications functions. It is integrated with a multitasking operating system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35416 Cisco Catalyst telnet server memory leak denial of service Vulnerability Threat Level: Warning Industry ID: CVE-2001-0041 Bugtraq: 2072 Signature Description: Cisco Catalyst switches are vulnerable to a denial of service attack, caused by a memory leak in the Telnet server. Telnet is a network protocol used on the Internet or local area network(LAN) connections.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35420 Cisco OpenSSL Implementation Vulnerability Threat Level: Warning Industry ID: CVE-2004-0079 Bugtraq: 9899 Signature Description: Secure Sockets Layer (SSL) is a protocol used to encrypt the data transferred over a TCP session. OpenSSL is (OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c) vulnerable to a denial of service Caused by a NULL-pointer assignment in the "do_change_cipher_spec()" function.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35425 Cisco OpenSSL Implementation Vulnerability Threat Level: Warning Industry ID: CVE-2004-0079 Bugtraq: 9899 Signature Description: Secure Sockets Layer (SSL) is a protocol used to encrypt the data transferred over a TCP session. OpenSSL is (OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c) vulnerable to a denial of service Caused by a NULL-pointer assignment in the "do_change_cipher_spec()" function.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 server that uses the OpenSSL library to cause OpenSSL to crash. This signature detects on service ftp protocol, control, over TLS/SSL on TCP Port 990. Signature ID: 35430 Cisco OpenSSL Implementation Vulnerability Threat Level: Warning Industry ID: CVE-2004-0079 Bugtraq: 9899 Signature Description: Secure Sockets Layer (SSL) is a protocol used to encrypt the data transferred over a TCP session. OpenSSL is (OpenSSL 0.9.7a, 0.9.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 in large networks. Cisco devices (Cisco IOS versions Cisco, IOS 11.1(x)-11.3(x) and 12.0(x)-12.2) are vulnerable to a denial of service attack. a remote attacker could send a malformed BGP 1)open or 2)update message to the vulnerable device to cause the device to reload. This signature detects for Unknown message type.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35439 Cisco IOS EIGRP Remote Denial of Service Vulnerability Threat Level: Warning Industry ID: CVE-2005-4436 Bugtraq: 15978 Signature Description: Cisco IOS (Internetwork Operating System) is the software used on the Cisco routers and Cisco switches. IOS is a package of routing, switching, internetworking and telecommunication functions tightly integrated with a multitasking operating system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Oracle is a widely deployed DBMS. Clients use a protocol called TNS to communicate to the Oracle server. This protocol messages are used for session setup, authentication and data transfer. Oracle Database, version 8i, 9i, and 10g, could allow a remote attacker with create session privileges to execute arbitrary SQL commands.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Symantec offers a suite of corporate and consumer security products including a firewall application which includes SYMDNS.SYS driver, which is responsible for validating DNS and NBNS (NetBios Name Service) responses. Symantec Norton Internet Security and Personal Firewall devices are vulnerable to denial of service attack, caused by the improper validation of Domain Name System(DNS) response packets.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 /plugins/hpjdwm/script/test/setinfo.hts script. The successful exploitation may allow an attacker to read the local.user file and gain the encrypted passwords of all users which have a password set for the Jet Admin application. No remedy available as of November 15, 2008.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35456 Symantec Veritas NetBackup bpcd.exe Command Chaining Threat Level: Warning Industry ID: CVE-2006-0492 Bugtraq: 21565 Signature Description: Symantec Veritas NetBackup is a client/server based backup software solution. Symantec Veritas NetBackup, version 5.0 before 5.0_MP7, 5.1 before 5.1_MP6, and 6.0 before 6.0_MP4, is a command chaining vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 and applications on an IBM Lotus Domino server. IBM Lotus Notes, version 6.5, 7.0, and 8.0, is a stack-based buffer overflow vulnerability in the Maker Interchange File viewer(mifsr.dll). This issue is triggered when an attacker can crate a specially-crafted .mif file. The MIF contains overly long lines and tag names/values that will trigger the buffer overflow when viewed within Lotus Notes.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 mouse and keyboard data. Microsoft Windows RDP is a denial of service vulnerability, caused by input validation error. This issue is triggered when an attacker could send a specially-crafted message on port 3389/tcp. The successful exploitation may allow an attacker to cause the system to crash. The issue is fixed in the patch MS05-041.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35470 MailEnable SMTP NTLM Authentication Buffer Overflow vulnerability Threat Level: Severe Industry ID: CVE-2006-5176 Bugtraq: 20290 Signature Description: MailEnable mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable, version professional 2.0 and Enterprise 2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35475 IBM Lotus Domino LDAP Server Memory Exception Vulnerability Threat Level: Warning Signature Description: Lightweight Directory Access Protocol(LDAP) is an application protocol for querying and modifying directory services. IBM Louts Domino, version 7.0 and prior, is a denial of service vulnerability in the LDAP service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35479 Trend Micro OfficeScan Atxconsole ActiveX Control Format String Vulnerability Threat Level: Warning Industry ID: CVE-2006-5157 Bugtraq: 20284 Signature Description: Trend Micro OfficeScan is an enterprise-level centrally managed antivirus solution. It is commercially available for the Microsoft Windows platform. Trend Micro OfficeScan, version 7.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Upgrade to the latest version of WebEx Meeting Manager(20.2008.2606.4919 or later), available from the Cisco WebEx Web site. Alternatively user can set the kill bit to disable ActiveX for CLSID 32E26FD9-F435-4A20-A56135D4B987CFDC. Signature ID: 35483 Cisco Webex Meeting Manager 'atucfobj.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35486 Cisco Webex Meeting Manager 'atucfobj.dll' ActiveX Control Remote Buffer Overflow Vulnerability Threat Level: Warning Industry ID: CVE-2008-3558 Bugtraq: 30578 Signature Description: The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attacker sending sequence of EIGRP Internal IP prefix length (the prefix length should be >0 and <=32). The successful exploitation may allow an attacker to overflow a buffer and execute arbitrary code on the system or cause ethereal to crash. The issue is fixed in the version of Ethereal(0.10.3 or later), which is available at ethereal web site. The Administrator's are advise to update the latest version of Ethereal(0.10.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35493 NCTAudioStudio2 ActiveX Control NCTWavChunksEditor.DLL Arbitrary File Overwrite Vulnerability Threat Level: Severe Industry ID: CVE-2007-3493 Bugtraq: 24656 Signature Description: NCTsoft NCTAudioStudio2 ActiveX control is a collection of ActiveX components for building end-user audio data applications. NCTAudioStudio2, version 2.6.1.148, ActiveX control(NCTWavChunksEditor2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35497 Trend Micro OfficeScan Server cgiRecvFile Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2008-2437 Bugtraq: 31139 Signature Description: Trend Micro OfficeScan is an integrated enterprise-level security product that protects against viruses, spyware, worms, and blended threats. Trend Micro OfficeScan, version 7.0, 7.3 with Patch 4 build 1362, and 8.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 from the user to the httpd server. When an HTML document contains an ISINDEX tag, the browser displays an input box with searchable index. This does not mean that your HTML document is automatically a searchable index. The ISINDEX tag just captures user keystrokes and sends those keystrokes to a gateway using the GET method. The gateway performs the actual search.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 attacks. Problem exists in rmoc3260.ll, GetSource Transport() method to construct a malicious document and lure users to open, can lead to the collapse of the application. This issue appears to be partially addressed in RealPlayer 11.0.2. This update provides version 6.0.10.50 of rmoc3260.dll.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 This update provides version 6.0.10.50 of rmoc3260.dll. No remedy available as of July 2008, user can set killbit to the clsid CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA and 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93 to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35521 Cisco IOS SSH Malformed Packet Vulnerabilities Threat Level: Severe Industry ID: CVE-2002-1359 Bugtraq: 6407 Signature Description: SSH (Secure Shell) is a client-server program for authentication and encryption of network communications.Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial of Service (DoS) if the SSH server is enabled on the device.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 management information bases (MIBs). ILMI uses SNMP, which is designed to be simple and has a very straightforward architecture. The SNMP message is divided into two sections, a version identifier plus community name and a PDU. The vulnerability is present in Cisco IOS Software versions 11.x and 12.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35539 DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods Threat Level: Severe Industry ID: CVE-2008-4749 Bugtraq: 31907 Signature Description: VImpX is an ActiveX control that imports data into various databases. DB Software Laboratory 'VImpX.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 versions may also be affected. This vulnerability is caused due to improper bounds checking by the LogFile, ClearLogFile and SaveToFile methods, present in VImpX.ocx ActiveX control. By persuading a victim to visit a malicious Web page which contain hex encoded data, a remote attacker could execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35547 DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow vulnerability Threat Level: Severe Industry ID: CVE-2008-4922 Bugtraq: 31987 Signature Description: The DjVu ActiveX handles files in the DjVu digital document format. It is a new image compression technology.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35550 DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow vulnerability Threat Level: Warning Industry ID: CVE-2008-4922 Bugtraq: 31987 Signature Description: The DjVu ActiveX handles files in the DjVu digital document format. It is a new image compression technology.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35553 DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow vulnerability Threat Level: Severe Industry ID: CVE-2008-4922 Bugtraq: 31987 Signature Description: The DjVu ActiveX handles files in the DjVu digital document format. It is a new image compression technology.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35556 Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite Vulnerability Threat Level: Severe Bugtraq: 31984 Signature Description: Visagesoft eXPert PDF Viewer ActiveX control is an application for viewing PDF documents. It provides a standalone embeddable PDF Viewer for windows application developers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35559 Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite Vulnerability Threat Level: Severe Bugtraq: 31984 Signature Description: Visagesoft eXPert PDF Viewer ActiveX control is an application for viewing PDF documents. It provides a standalone embeddable PDF Viewer for windows application developers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 exploit attempts will likely result in denial-of-service conditions. No remedy available as of Nov 22, 2008, user can set killbit to the clsid {BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A}corresponding to the ProgID VSPDFEditorX.VSPDFEdit to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35570 E-vision cms addcontact.php module parameter Local File Inclusion vulnerability Threat Level: Severe Bugtraq: 32180 Signature Description: E-Vision CMS is a PHP-based content manager. e-Vision CMS is Web Content Management System written in PHP, with MySQL database backend. It runs on Linux and Windows (with Apache). The e-Vision CMS powered website can be designed and used with no technical background.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 vulnerability in the WebLaunch.WeblaunchCtl.1 ActiveX control includes the insecure "DoWebLaunch()" method, which can be exploited to execute arbitrary commands on the vulnerable system.By persuading a victim to visit a malicious Web page that passes an overly long string to the DoWebLaunch() method which allows remote attackers to execute arbitrary programs via a ..
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 conditions. No remedy available as of August 12, 2008, user can set killbit to the clsid BDF9442E-9B03-42C2-87BA2A459B0A5317 to resolve this issue. Signature ID: 35577 ImageShack Toolbar ImageShackToolbar.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: ADODB.Connection ActiveX controlremote code is vulnerable to remote code execution, which is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35584 E-vision cms addtour.php module parameter Local File Inclusion vulnerability Threat Level: Warning Bugtraq: 32180 Signature Description: E-Vision CMS is a PHP-based content manager.e-Vision CMS is Web Content Management System written in PHP, with MySQL database backend. It runs on Linux and Windows (with Apache). The e-Vision CMS powered website can be designed and used with no technical background.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 allow the attacker to obtain sensitive information or gain unauthorized access to an affected computer in the context of the vulnerable server. e-Vision CMS 2.0.2 is vulnerable, other versions may also be affected. Signature ID: 35590 Lupper worm - Includer Remote Command Execution vulnerability Threat Level: Severe Industry ID: CVE-2005-0689 Bugtraq: 12738 Signature Description: Linux/Lupper.B is a worm.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, "NetPathCanonicalize".
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35602 Yahoo Messenger 8.1 ActiveX Remote Denial of Service Attack Threat Level: Severe Industry ID: CVE-2007-6228 Bugtraq: 26656 Signature Description: Yahoo! Companion is a personalized browser toolbar that allows you to access bookmarks, links to Yahoo!, and other features from any personal computer with the software installed and an Internet connection. Yahoo Messenger 8.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35606 Yahoo Messenger 8.1 ActiveX Remote Denial of Service Attack Threat Level: Severe Industry ID: CVE-2007-6228 Bugtraq: 26656 Signature Description: Yahoo! Companion is a personalized browser toolbar that allows you to access bookmarks, links to Yahoo!, and other features from any personal computer with the software installed and an Internet connection. Yahoo Messenger 8.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35610 Document Imaging SDK Buffer Overflow Vulnerability Threat Level: Severe Signature Description: SDK/ActiveX is a software development tool that helps application developers and programmers to create applications with sophisticated image processing capabilities.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 information to HP support specialists in HP's worldwide customer support organization. Hewlett-Packard will treat the collected information as confidential. The HP Instant Support ActiveX control is used by HP to provide support to HP desktop systems. HP Instant Support 1.0 23 and prior are vulnerable to multiple attacks like buffer overflows and file overwrite vulnerabilities.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35618 HP Instant Support HPISDataManager.dll ActiveX Control Multiple Vulnerabilities Threat Level: Severe Signature Description: Instant Support Professional Edition (ISPE) will collect and send your computer and printer information to HP support specialists in HP's worldwide customer support organization. Hewlett-Packard will treat the collected information as confidential.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 could trigger one of these vulnerabilities. Successfully exploiting one of these vulnerabilities would allow an attacker to execute arbitrary code with the privileges of the current user. Vendor has confirmed this issue and provided patches to resolve this issue. Alternately user can set killbit to the clsid corresponding to the progid HPISDataManagerLib.Datamgr to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 error in the NCTsoft AudFile.dll ActiveX Control when handling the "SetFormatLikeSample()" method. This can be exploited to cause a stack-based buffer overflow by passing an overly long string (about 4124 bytes) as argument to the affected method. Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35629 HP Software Update Hpufunction.dll ActiveX Control Insecure Method Vulnerability Threat Level: Severe Industry ID: CVE-2008-2390 Bugtraq: 28947 Signature Description: HP Software Update is a proactive tool that automatically updates selective HP software and drivers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 manipulation vulnerability. The Watchfire AppScan ActiveX control could allow a remote attacker to overwrite arbitrary files on the system. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability using the CompactSave() or the SaveSession() insecure methods to create and overwrite arbitrary files on the system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35636 Data Dynamics ActiveBar Actbar3.OCX ActiveX Control Insecure Methods Vulnerability Threat Level: Severe Industry ID: CVE-2007-3883 Bugtraq: 24959 Signature Description: The Data Dynamics ActiveBar delivers complete Microsoft Office and Visual Studio toolbars, menus and dockable windows emulation in a small and easy-to-use ActiveX control. ActiveBar 3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 network, you are connecting to one of the servers on that network. HydraIRC is an open-source IRC client with an attractive and easy to use interface. It supports DCC Chat and File transfers, Connecting to multiple servers, Autohiding Windows, DLL Plugins, Channel Monitoring, Event Viewer, Audible and Visual Notifications and much more. HydraIrc 0.3.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 No remedy available as of August 12, 2008, user can set killbit to the clsid 82351441-9094-11D1-A24B00A0C932C7DF to resolve this issue. Signature ID: 35643 Download Accelerator Plus - DAP 8.6 (AniGIF.ocx) Buffer Overflow Vulnerability Threat Level: Severe Bugtraq: 30621 Signature Description: Download Accelerator Plus is a closed source software download manager for Microsoft Windows.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions. No remedy available as of August 12, 2008, user can set killbit to the clsid value corresponding to the progid AniGIFCtrl.AniGIF to resolve this issue. Signature ID: 35646 Download Accelerator Plus - DAP 8.6 (AniGIF.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 containing specially formatted encoded data, a remote attacker could execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denialof-service conditions. No remedy available as of August 12, 2008, user can set killbit to the clsid value corresponding to the progid AniGIFCtrl.AniGIF to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Microsoft Visual Studio 6.0 is vulnerable to stack based buffer overflow vulnerability. This issue is caused when handling an overly long argument passed to the Mask parameter in the Msmask32.ocx ActiveX control. By persuading a victim to visit specially crafted html page containing %u encoded shell code data, remote user can cause arbitrary code to be executed on the target user's system or may cause denial of service.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 executables) to be automatically downloaded to the user's computer without any user prompt. No remedy is available as of 4 September, 2008. Signature ID: 35657 Google Chrome Browser 0.2.149.27 denial of service attack Threat Level: Severe Signature Description: Google Chrome is a free and open source web browser developed by Google. The name is derived from the graphical user interface frame, or chrome, of web browsers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35661 FlashGet 1.9.0.1012 (FTP Response) SEH STACK Overflow Vulnerability Threat Level: Severe Signature Description: FlashGet is the one of the best download manager and is very fast in downloading the files in the internet. It takes charge of your downloads, automating the whole process from start to finish.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 video quality, and support for mixed-mode voice and music content. Microsoft Windows Media Encoder 9 x64 and 9 versions are vulnerable to remote code execution vulnerability. By sending long exploit data to GetDetailsString() method of WMEX.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 to any type of application. This CD/DVD recording SDK supports all CD/DVD devices and provides a flexible, solid framework for applications regardless of the development environment. Complex issues associated with writing to CD/DVD such as threading, buffering, and non-standard device commands are handled by the SDK. NuMedia Soft NMS DVD Burning SDK CDBurnerXP 4.2.1.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 currently logged-on user. Successful exploitation allows execution of arbitrary code in the victim system. No patch details are available to resolve this issue, user can Set the kill bit to the clsid corresponding to the progid to resolve this issue. Signature ID: 35672 NuMedia NMSDVDX.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 comes with a user interface for total customization. The Switch control contains several templates such as ON/OFF, Toggle, Dial, Rocker and more. The Vessel ActiveX control comes with a user interface for total customization. ICONICS Vessel/Gauge/Switch ActiveX Control 8.2.140 0 and DlgWrapper.dll 8.0.138 0 are vulnerable to stack based buffer overflow vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 SSL IMAP. It has full set of mailbox management features for adding, deleting, and renaming mailboxes. Chilkat IMAP ActiveX 7.9 is vulnerable to denial of service attack. This vulnerability is caused due to function LoadXmlEmail() which is present in ChilkatMail_v7_9.dll allows attacker to execute file which leads to Denial of Service in IE.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Software Opera Web Browser Versions prior to 9.60 are vulnerable to remote code execution vulnerability in its handling of addresses and Java applets. A specially crafted address used in a redirection can result in a buffer overflow vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Digital Image Suite has full support for Adobe Photoshop plugins. It also includes Digital Image Library for organizing images. Microsoft Digital Image picturepusher ActiveX control (PipPPush.dll 7.00.0709) is vulnerable to information disclosure vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35691 Chilkat Socket activex 2.3.1.1 Remote Arbitrary File Creation Vulnerability Threat Level: Severe Signature Description: The Chilkat socket library provides a high-level, easy-to-use API for TCP/IP socket programming. It supports creating secure channels w/ SSL 2.0, SSL 3.0, and TLS 1.0. Both client-side and server-side SSL/TLS is supported, including the use and verification of digital certificates.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35695 Chilkat Socket activex 2.3.1.1 Remote Arbitrary File Creation Vulnerability Threat Level: Warning Signature Description: The Chilkat socket library provides a high-level, easy-to-use API for TCP/IP socket programming. It supports creating secure channels w/ SSL 2.0, SSL 3.0, and TLS 1.0. Both client-side and server-side SSL/TLS is supported, including the use and verification of digital certificates.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 2008 but alternately user can set kill bit to clsid 474FCCCD-1B89-4D34-9E09-45807F23289C corresponding to the progid ChilkatSocket.ChilkatSocket.1 to resolve this issue. Signature ID: 35699 Skype Toolbars Extension for Firefox BETA Clipboard Security Weakness Threat Level: Warning Bugtraq: 31613 Signature Description: Skype Toolbars Extension for Firefox BETA provides Skype VOIP features to the web browser.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35802 MicroWorld Technologies MailScan Information Disclosure Vulnerability Threat Level: Warning Industry ID: CVE-2008-3729 Bugtraq: 30700 Signature Description: MailScan 5.6 is the Real-Time AntiVirus and AntiSpam solution for Mail Servers. The software safeguards organizations against Virus, Worm, Trojan and many other malware breeds with proactive technologies.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35807 KVIrc 3.4.2 (uri handler) Remote Command Execution Vulnerability Threat Level: Severe Industry ID: CVE-2007-2951 Bugtraq: 32410 Signature Description: KVIrc is a Multi language, graphical IRC-Client for Windows, Linux, Unix and Mac OS. KVIrc is able to connect to several servers at the same time (optional with SSL and/or IPv6). KVIrc version 3.4.2 is vulnerable to remote code execution vulnerability.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35811 MW6 Aztec ActiveX (Aztec.dll) Remote Insecure Method Vulnerability Threat Level: Severe Industry ID: CVE-2008-4923 Bugtraq: 31974 Signature Description: Aztec ActiveX is a powerful ATL-based control for handling Aztec 2D barcode and can be used in any ActiveX-compliant environment such as Word, Access, Excel, VB.NET, C#.NET, Visual Basic, Visual C++, Visual FoxPro, Delphi or C++ builder.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 SaveEnhWMF() presents in Barcode.dll file. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability using the insecure methods to overwrite or corrupt arbitrary files on the system. Successful exploits will compromise affected computers and will aid in further attacks.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 application for recovering passwords by sniffing them from the connected network. It is developed for Microsoft operating system. Cain & Abel version 4.9.23 and 4.9.24 are vulnerable to remote buffer overflow vulnerability. When using remote desktop password decoder in Cain and while importing ".rdp" file contains long Chars the program will crash. Patch details are available and please upgrade to Cain & Able version 4.9.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 interfaces with very little code. Flexcell Grid ActiveX control 5.6.9 and 5.7.0.2 are vulnerable to arbitrary file overwrite vulnerability. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability using the SaveFile() and ExportToXML() insecure methods to create and overwrite arbitrary files on the system. No remedy available as of January 28, 2009.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 OpenWebFile() and HttpDownloadFile() methods in Excel Viewer OCX ActiveX control. An attacker can exploit this issue to execute arbitrary code in the context of an application using the affected ActiveX control. This may aid in further attacks. No remedy is available as of 29th January 2009 to resolve this issue. Alternately user can Set kill-bit to the clsid to resolve this issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 AAA EasyGrid ActiveX 3.51 containing the insecure "DoSaveFile()" and "DoSaveHtmlFile()" methods. This can be exploited to corrupt arbitrary files in the context of the currently logged-on user. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability. No remedy available as of January 24, 2009 but alternately user can set killbit to clsid to stop activeX functionality.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35837 3Com OfficeConnect Wireless Cable/DSL Router Authentication Bypass Vulnerability Threat Level: Warning Signature Description: The 3Com OfficeConnect Wireless Cable/DSL Router is a high-speed, affordable, and easy-touse small office solution that lets wireless and wired PCs and laptops securely share a single broadband Internet connection.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 35842 Synactis ALL In-The-Box ActiveX Control Arbitrary File Overwrite Vulnerability Threat Level: Severe Industry ID: CVE-2009-0465 Bugtraq: 33535 Signature Description: Synactis ALL In-The-Box is a development tool for creating, viewing, printing and documents programmatically. It is very Powerful and easy to use. It produces documents by assembling objects and data supplied by the Developer.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 organizations increase Web site and application availability while lowering system administration costs. Microsoft IIS 6.0 and 5.1 versions are vulnerable to this remote code execution attack. The vulnerability is caused due to an unspecified error within the processing of input to ASP web pages.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 requires that "magic_quotes_gpc" is disabled. PHP is prone to a security-bypass weakness. Attackers can use this issue to bypass security checks in PHP applications that rely on the Magic Quotes functionality. This opens such applications up to potential attacks that take advantage of the software's failure to properly sanitize user input. This vulnerability is confirmed in version 2.5.4. Other versions may also be affected.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 control stores configuration data for the policy setting Microsoft Scriptlet Component. This vulnerability is caused due to improper bounds checking by the "CollectGarbage" method. By persuading a victim to visit a malicious Web page, a remote attacker could execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer 7).
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 start to load malicious Program on Boot up. The malicious file size is about 237,568 bytes to 774,144 bytes.This signature will trigger when AdWare.Win32.MWGuide keepalive traffic pattern found.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 specially-crafted LDAP Modify request. The successful exploitation may allow an attacker to overflow a buffer and execute arbitrary code on the system. Signature ID: 36204 Microsoft SQL Server CONVERT Function Buffer Overflow Vulnerability Threat Level: Severe Industry ID: CVE-2008-0086 Signature Description: Microsoft SQL Server is a relational database management system(RDBMS) produced by Microsoft.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: Microsoft SQL Server is a relational database management system(RDBMS) produced by Microsoft. Its primary query languages are MS-SQL and T-SQL. The INSERT statement adds one or more records to any single table in a relational database.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: WordPress is a blogging application that is written in PHP. It can use it to create any type of web site and use it as a Content Management System. WordPress, version 2.1.1, could allow a remote attacker to execute arbitrary commands on the system. This signature detects when an attacker sending a specially-crafted request to the feed.php script using the ix parameter.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. A wrapper is additional code which tells the stream how to handle specific protocols/encodings. The PHP, version PECL ZIP 1.8.3 and earlier and PHP 5.2.0 and 5.2.1, is a stack-based buffer overflow vulnerability, caused by improper bounds checking by 'zip:' URLs.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 fixed in the version of VLC media player(0.9.3 or later), available from the VideoLAN web site. The Administrators are advise to update this version for resolve the issue.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 36305 VLC HTTPd Connection Header Format String Vulnerability Threat Level: Warning Industry ID: CVE-2007-6682 Bugtraq: 27015 Signature Description: VideoLAN VLC media player is an open-source, highly portable multimedia player for various audio and video formats, as well as DVDs, VCDs, and various streaming protocols.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 36406 NetSurf Web Browser 1.2 HTML Image Tag, alt property overflow vulnerability Threat Level: Severe Bugtraq: 33279 Signature Description: NetSurf is a web browser for RISC and UNIX-like operating systems. NetSurf is exposed to multiple memory corruption issues. Successful exploits allow remote attackers to execute arbitrary code in the context of the affected application.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 application parses a specially crafted ".aup" project file. Audacity version 1.6.2 is affected.This hits when the remote AUP file has large strings. Signature ID: 36414 Safari Browser Integer Array Heap Overflow Threat Level: Information Industry ID: CVE-2009-0070 CVE-2008-2307 Signature Description: Safari is a webbrowser, developed by Apple Company. Can run on Windows XP, Vista, Mac OS etc,.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 36418 MW6 Barcode ActiveX (Barcode.dll) Reamote Heap Overflow Threat Level: Severe Industry ID: CVE-2009-0298 Bugtraq: 33451 Signature Description: Barcode Activex has rich set of features to embed the Barcode representation on the Microsoft products.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 applications and report generators. Especially Office, VB and VBA developers benefit from the convenient and powerful programming options. This activex SUPPLEMENT method suffers from the Buffer overflow attack. The remote attacker can exploit this issue by enticing the users to visit malicious web pages. The successful remote attacker can execute arbitrary code in the context of the application using the vulnerable activex.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 36425 PowerPoint Viewer OCX Activex Vulnerability Threat Level: Severe Bugtraq: 33238 Signature Description: PowerPoint Viewer OCX acts as an ActiveX document container for hosting PowerPoint documents in a custom form or Web page. The OCX is lightweight and flexible, and gives developers new possibilities for using Microsoft PowerPoint in a custom solution.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 36430 PowerPoint Viewer OCX Activex Vulnerability Threat Level: Severe Bugtraq: 33238 Signature Description: PowerPoint Viewer OCX acts as an ActiveX document container for hosting PowerPoint documents in a custom form or Web page. The OCX is lightweight and flexible, and gives developers new possibilities for using Microsoft PowerPoint in a custom solution.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 37002 Classical SQL Injection with a tautology condition framed with strings Threat Level: Severe Signature Description: SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. An SQL query is a request for some action to be performed on a database.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 slash(/)star(*) . Attacker uses this techniques to ignore the embedded MySQL Statement on the server machine. By this attacker can bypass database validations on the victim machine. Successful attacker gains admin access on the affected system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 37012 SQL Injection with SELECT SQL Statement Threat Level: Severe Signature Description: This Rule hits when SQL SELECT Statement exists in the http request argument value. This SQL Statement is used to view records of the SQL Database tables. Attacker injects this SQL statement to view database records of the tables on the victim machine.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 37018 SQL Injection with SQL UNION Statement Threat Level: Severe Industry ID: CVE-2008-2916 Signature Description: This rule hits when http request argument consists of SQL UNION statement, UNION statement is used to join two or more SQL Statements to form one single SQL statement, attacker uses this statement to include his own SQL statement.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 37024 SQL Injection with SQL UPDATE Statement Threat Level: Severe Signature Description: This Rule hits when http request argument consists of SQL UPDATE statement. This statement is used to modify the database records. Attacker uses this statement to modify the records of victim’s database. Successful attacker gains admin access on the victim’s database.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 37030 Classical SQL Injection with HTML Encoded format, Possible Signature Evasion Threat Level: Severe Signature Description: This rule hits when http request argument consists of HTML Encoded format Character ’ . Attacker uses this pattern to evade IPS Signatures, but browsers execute this pattern successfully on their local machines. Successful attacker gains admin access on the affected system.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 37036 SQL Injection With SQL UNION statement Threat Level: Severe Industry ID: CVE-2008-2891 Signature Description: This Rule hits when http request argument consists of SQL Statement UNION, and UNION statement in the format "any number of spaces(not encoded) followed with UNION statement.The purpose of the SQL UNION command is to combine the results of two queries together.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: This rule hits when http request argument consists of HTML tag format. Cross site scripting is possible by passing html tags via http request argument to the server, then server creates a page based on the passed data and returns that page with malicious web-page, or may redirected to some other person or attacker.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 or eval functions of Script Statements, These functions are executed on the victims browser.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 38000 Trend Micro ServerProtect Spntsvc.exe DCE/RPC multiple buffer overflow Exploit Threat Level: Severe Industry ID: CVE-2007-4218 Bugtraq: 25395 Signature Description: ServerProtect Agent service 5.58 Build 1176 and prior is vulnerable to stack based buffer overflow. This vulnerability is due to improper bounds checking by the SetPagerNotifyConfig function. By sending a malicious RPC request to the SpntSvc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 overflow. This vulnerability is due to improper bounds checking by the SetSpntShareConfig function. By sending a malicious RPC request to the SpntSvc.exe service on TCP port 5168, a remote attacker could overflow a buffer and execute arbitrary code on the vulnerable system with SYSTEM privileges. This vulnerability is fixed.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 38010 Trend Micro ServerProtect Spntsvc.exe DCE/RPC multiple buffer overflow Exploit Threat Level: Severe Industry ID: CVE-2007-4218 Bugtraq: 25395 Signature Description: ServerProtect Agent service 5.58 Build 1176 is vulnerable to stack based buffer overflow. This vulnerability is due to improper bounds checking by the Trent_req_num_a0030 function. By sending a malicious RPC request to the SpntSvc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 lack of boundary check when processing user authentication requests. By sending specially crafted authentication request, an unauthenticated remote attacker can leverage these flaws to execute arbitrary code on the target host with System privileges.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 38051 RIM BlackBerry Enterprise Server Router Component Denial of Service Threat Level: Warning Industry ID: CVE-2005-2342 Signature Description: There exists a denial of service vulnerability in the RIM BlackBerry Server product. The communication between BlackBerry routers may be disrupted by sending crafted Server Routing Protocol (SRP) messages.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 ActionDefineFunction2(0x8E) in the DoAction Tag. The vulnerable parameter is a user supplied ActionDefineFunction(0x9B) or ActionDefineFunction2(0x8E) action record. Signature ID: 38057 WinACE RAR and TAR Directory Traversal Vulnerability Threat Level: Severe Bugtraq: 16800 Signature Description: There exists a directory traversal vulnerability in the WinACE application.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 38063 Opera Telnet URI Handler File Creation Threat Level: Warning Industry ID: CVE-2004-0473 Signature Description: Opera Software ASA's Opera Web browser is vulnerable to an attack of telnet URI handler. An attacker can invoke telnet with a trace file name as argument by requesting an URI address to opera web browser. The supplied trace file then can be created on the host of web browser's user.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 exploited by an attacker to read an HTTPS request URL sent by Internet Explorer despite the use of an encrypted connection. The vulnerable program is the dynamically linked library wininet.dll. Exploit attempts of this vulnerability detected using a combination of three signatures, this is third signature and generate log message.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 certain security restrictions. The vulnerable program is the binary realplay.exe. The problematic parameter is a URL employing the file:// scheme embedded with a RealMedia clip. Signature ID: 38076 MailEnable IMAP Service Buffer Overflow Threat Level: Warning Industry ID: CVE-2004-2501 Signature Description: A vulnerability exists in the way the IMAP service in MailEnable parses IMAP data.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 name, contains "%01" character before an @ sign in the user@domain portion of the URI. Mshtml.dll is the vulnerable program, which displays a URL string containing "%01" incorrectly at "Address Bar" and "Status Bar" of its host programs, i.e. Internet Explorer, Outlook Express, etc.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 38200 Media Wiki XSS Attempt Threat Level: Severe Industry ID: CVE-CVE-2006-2611 Signature Description: Media Wiki versions 1.6.x or earlier vulnerable to Cross-Site scripting (XSS) attacks. An attacker can inject an arbitary java script into Media Wiki Post, which can be executed in the genuine users context when that post is visited. This is a client targetted attack rather than attack on media wiki servers.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 the object tag, which might allow remote attacker to execute arbitrary code. It uses SMTP protocol for exploiting the vulnerability Signature ID: 38207 Microsoft Outlook object handling vulnerability Threat Level: Severe Industry ID: CVE-2004-2482 Signature Description: Mircosoft Outlook 2000 to 2003 contains a vulnerability in handling improperly encoded object tags while microsoft word is used as an email editor.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100001 IP Land Attack Detected Threat Level: Critical Signature Description: Land attack is one of the many DoS attacks, which exploits a buggy implementation of TCP/IP stack on certain OS. Under the normal TCP/IP handshake, client sends a SYN packet, which is replied by the server with SYN+ACK and finally connection is established by client to send ACK pack.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100005 Uninitiated ICMP Echo Response Threat Level: Severe Signature Description: ICMP is the protocol used by IP to inform about the error in delivering the packet at the destination or to know the status of the remote host. In order to know whether a particular host is up, ICMP echo (type 8) packet is sent, which is replied by the receiving host by sending ICMP echo reply (type 0) to confirm that it is up.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100009 Packet with Invalid TCP Header Length Threat Level: Critical Signature Description: :IP is the protocol which works as carrier to higher level protocols, like TCP etc. There are many header fields in IP packet. "Total Length [TL]" is one of them. This specifies the total length of the IP packet. In TCP header, the "offset" field points the size of the TCP header. The minimum value of TCP header length is 20.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100015 TCP Packet Received after Reseting the Connection Threat Level: Critical Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and then data starts flowing. To terminate a connection, there are two methods. One is FIN-ACK and other one is RESET.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The WinNuke attack sends OOB (Out-of-Band) data to an IP address of a Windows machine connected to a network and/or Internet. Usually, the WinNuke program connects via port 139, but other ports are vulnerable if they are open.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100024 ICMP error message (uninitiated traffic) Threat Level: Critical Signature Description: Since the Internet Protocol is an unreliable protocol, there are no guarantees that a datagram sent by one device to another will ever actually get there. The inter-network of hosts and routers will make a “best effort” to deliver the datagram but it may not get where it needs to for any number of reasons.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100030 Reset replay attack Threat Level: Critical Signature Description: A TCP Reset attack is a denial of service attack(DOS) in which the Attacker attempts to prematurely terminate a victims active TCP session.The attacker spoofs a packet that matches the source port ,IP address and current sequence number of the active TCP connection.Sets the RST bit on the spoofed packet and then send the spoofed packet.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100036 TCP NULL Scan Threat Level: Information Signature Description: Port Scanning is one of the most commonly carried out process amongst Hackers. Almost always, the first thing that a hacker would do on his quest to get root on a remote system is to conduct a port scan on the target system and get a list of open ports.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 scan packets include the data-link header, an IP header, and a UDP header. That's all. By varying the destination port number value in the UDP header and watching the responses, a hacker can determine which UDP ports are listening on the target device. If a target device does not listen on a port, the device replies with an ICMP: Destination unreachable (Port unreachable) packet.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100046 ICMP Echo Response for Unknown Sequence Number Threat Level: Critical Signature Description: ICMP is a protocol used to test the connectivity between hosts or networks. ICMP works over IP. There are few fields in ICMP packets and "sequence" is one of them. This field is used to help match echo requests to the associated reply. It may be zero.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100050 TCP Packet with Out-of-Range Sequence Number Received Threat Level: Severe Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and then data starts flowing. Each of the packet is acknowledged to prevent data loss. In order to have packet in order, TCP makes use of sequence numbers. Each packet carries a unique sequence number for that session.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 A log is generated by this signature if the session module could not send final ack packet of TCP connection negotiation to the internal system. Signature ID: 100058 Invalid ACK number in SYN+ACK Packet for a SYN packet During TCP Three-Way Handshake Threat Level: Severe Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and then data starts flowing.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100062 IP packet with Source Address as Broadcast Address Threat Level: Critical Signature Description: IP Packets using Broadcast Address as Source Address shall be dropped.Some attackers may use ping with Broadcast Address as Source IP to attack. This rule hits when system detects a packet with source address as broadcast. The administrators should try to trace the origin for further investigation.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100102 IP Fragmented Data for Zero Data Length Threat Level: Critical Signature Description: IP has the mechanism to send very large data (data greater than MTU) by means of fragmentation. Under this mechanism, The entire data packet is broken into smaller pieces (fragments) and these fragments are sent across the network to destination. Destination machine reassemble these fragments into the whole data.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the so called teardrop Denial of service Attacks.
A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized, payloads to the target machine.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 100141 UDP Checksum error Threat Level: Critical Signature Description: A UDP packet with incorrect check sum detected.The reasons could be due to transmission errors or improper way of sending UDP packets.If rate of detection of this event is high, it may be because of possible DOS attack by using packet generation tool like ISIC or UDPSIC.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature Description: The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems.
ProCurve TMS zl Module IPS/IDS Signature Reference Guide Version RLX.10.2.2.94 Signature ID: 160148 DCE RPC Interface Buffer Overflow Exploit Threat Level: Information Signature Description: DCOM/RPC worm is capable to spread over Windows 2000 and Windows XP systems. According to ISC, the worm uses RPC/DCOM to propagate itself. it sends a self-extracting compressed file that is 6176 bytes in size, and about 11KB when uncompressed to the target system.
ProCurve 5400zl Switches Installation and Getting Guide Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
