TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
119
Signature ID: 1010
Nimda-infected web server readme.eml file vulnerability
Threat Level: Information
Signature Description: Nimda is a computer Worm that caused traffic slowdowns as it rippled across the Internet,
spreading through four different methods, infecting computers containing Microsoft's Web server, Internet Information
Server(IIS), and computer users who opened and e-mail attachment. Nimda is denial of service vulnerability. This rule
triggered when an attacker load a infected HTML files, the JavaScript will cause the download and execute the
README.EML file. The worm creates README.EML file, which is the multi-partite message with MIME-encoded
worm, in the same directory and adds a small JavaScript code to the end of found files.
Signature ID: 1011
Microsoft Internet Explorer File Name Spoofing Vulnerability using CLSID File Extension
Threat Level: Warning
Industry ID: CVE-2004-0420 Bugtraq: 9510
Signature Description: The Windows Shell application programming interface (API) supports the ability to associate a
class identifier (CLSID) with a file type. A CLSID as an extension instead of file extension is enough to launch the
application by Windows Shell similar to the case when file extension is used. The files that Internet Explorer is not able
to handle are asked to save to the local disk or open using a known application with the help of file extension
association using a dialog box. A vulnerability exists in Internet Explorer because it is unable to save the file it cannot
handle with the file's real extension. This is due to a flaw in Internet Explorer when it handles filenames that contain
multiple dots. It displays the filename up to before the last period, but it saves the file with the extension that is after the
last period. This vulnerability can be exploited by spoofing a filename with a . followed by CLSID and a '%2e' and an
extension like 'mpeg', for eg., 'abc.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}malware%2empeg'. By using
Content-Disposition field to have the malicious filename in the response header of a HTTP request and convincing the
user to follow a malicious link a remote attacker could be able to exploit the vulnerability. Since Internet Explorer
cannot display the data, a dialog box is displayed to download the data and the %2e in the filename is URL decoded
and displayed as a . (dot) in the dialog allowing the user to think that he is downloading or opening a file of that type
(in eg., it is mpeg). Once the user opens the file malicious file will be executed because CLSID is already mentioned in
the filename. Administrators are advised to install the updates mentioned in MS04-024.
Signature ID: 1012
Microsoft Windows GDI+ Library JPEG File Parsing Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0200
Bugtraq: 11173 Nessus: 14834,14818,14724
Signature Description: Microsoft Windows Graphics Device Interface (GDI+) is an application programming interface
(API) that provides programmers the ability to display information on screens and printers. A remotely exploitable
buffer overflow vulnerability exists in JPEG file parsing component of GDI+ (Gdiplus.dll). A JPEG file is composed of
multiple sections with each section starting with a two-byte-long section marker followed by a 2 byte length of the
marker . Data corresponding to this section will present here. Comment marker (0xfffe) ina JPEG file is used to write
comments about the JPEG file. If the length of the comment marker is mentioned as 0x0000 or 0x0001, GDI+ library
normalizes this value to a very big value while processing and tries to copy those many bytes resulting in a heap
overflow. This vulnerability can be exploited by constructing a specially crafted JPEG file and convincing the victim to
open the malicious JPEG image with one of the affected components which make use of GDI+ library to parse JPEG
files. Administrators are advised to install the updates mentioned in MS04-028.
Signature ID: 1013
Microsoft ANI file parsing overflow vulnerability
Threat Level: Warning
Industry ID: CVE-2004-1049
Bugtraq: 12095