TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
120
Signature Description: Microsoft Windows platforms, the LoadImage API routine is used to load an image from a file.
The LoadImage API is included part of the USER 32 library. Microsoft Windows NT Server 4.0 SP6 and prior verions,
Microsoft Windows XP Professional SP1 and prior verions are vulnerable. A lack of input validation on user supplied
input to the LoadImage API routine may allow an integer overflow to occur. It is heap based buffer overflow, this can
be exploited through a website by using maliciously crafted animated cursor files, Successful exploitation allows
execution of arbitrary code. All before versions of Microsoft Windows XP with Service Pack2 are affected. Patches are
available at microsoft website.
Signature ID: 1014
Mozilla GIF heap overflow vulnerability
Threat Level: Warning
Industry ID: CVE-2005-0399
Bugtraq: 12881
Signature Description: Graphic Interchange Format (GIF), this image processing library used in some Mozilla
products. Firefox before 1.0.2, Mozilla before to 1.7.6, and Thunderbird before 1.0.2 are use the same library, these all
versions are vulnerable. This library contains a flaw, allows remote attackers to execute arbitrary code via a GIF image
with a crafted Netscape extension 2 block and buffer size(32-bit integer). This integer is used to determine image buffer
space, attacker may misrepresent this value to exploit, then heap will overflow. Patches are available at particular
vendor website.
Signature ID: 1015
Microsoft Windows Media Player PNG Image Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-1244 Bugtraq: 12485
Signature Description: The Portable Network Graphics (PNG) format is an established image standard and well
supported in applications that view images. Microsoft Windows Media Player version 9 (when running on Windows
2000, Windows XP SP1 and SP2, or Windows Server 2003), Microsoft MSN Messenger 6.1 and 6.2, Windows 98,
Windows 98 SE and Windows ME are vulnerable to a buffer overflow, caused by improper handling of PNG (Portable
Network Graphics) files. A PNG image consists of a PNG header followed by a sequence of "chunks" (PNG
specification defines 18 such chunk types). PNG format stores the information about the image in the form of chunks
and each type of chunk conveys some specific information about the image. A remote attacker could create a specially-
crafted PNG image with large width or height value in IHDR chunk to overflow a buffer and execute arbitrary code on
the system. An attacker who successfully exploited this vulnerability may be able to execute arbitrary code with the
privileges of the user. Users are advised to install the updates mentioned in MS05-009. This signature detects attacks
patterns after detected pattern IHDR, it is checking at relative-offset 8 for one byte value.
Signature ID: 1016
Microsoft Windows Media Player PNG Image Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-1244 Bugtraq: 12485
Signature Description: The Portable Network Graphics (PNG) format is an established image standard and well
supported in applications that view images. Microsoft Windows Media Player version 9 (when running on Windows
2000, Windows XP SP1 and SP2, or Windows Server 2003), Microsoft MSN Messenger 6.1 and 6.2, Windows 98,
Windows 98 SE and Windows ME are vulnerable to a buffer overflow, caused by improper handling of PNG (Portable
Network Graphics) files. A PNG image consists of a PNG header followed by a sequence of "chunks" (PNG
specification defines 18 such chunk types). PNG format stores the information about the image in the form of chunks
and each type of chunk conveys some specific information about the image. A remote attacker could create a specially-
crafted PNG image with large width or height value in IHDR chunk to overflow a buffer and execute arbitrary code on
the system. An attacker who successfully exploited this vulnerability may be able to execute arbitrary code with the
privileges of the user. Users are advised to install the updates mentioned in MS05-009. This signature detects attacks
patterns after detected pattern IHDR, it is checking at relative-offset 4 for 4 bytes value.