Manualshelf

TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
16
the vulnerability, which results because the ISAPI extension contains an unchecked buffer in a section of code that
handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her
choice to run on the server.
Signature ID: 96
Microsoft IIS IDQ/IDA File Request vulnerability
Threat Level: Warning
Industry ID: CVE-2000-0071 CVE-2000-0098 CVE-2001-0500 CVE-2000-0098 Bugtraq: 1065,2880 Nessus: 10492
Signature Description: This signature detects an attempt to access .idq or .ida or .htx files via HTTP request. Microsoft
Internet Information Service (IIS) 4.0 installs several Internet Service Application Programming Interface (ISAPI)
extensions. The .idq ISAPI filter provides support for Internet Data Queries and are used to implement custom
searches. The .ida ISAPI filter provides support for Internet Data Administration and are used used to manage the
indexing server. Both extensions make use of Microsoft Indexing server but these extensions will be installed by
default with IIS 4.0. When a remote user requests a non-existant .ida or .idq file the real pathname of the document root
is revealed by the Indexing server error messages that are generated for the request. This information is useful for the
attacker to attack further.
Signature ID: 99
/iisadmpwd/aexp2.htr access vulnerability
Threat Level: Warning
Industry ID: CVE-2002-0421 CVE-1999-0407 Bugtraq: 2110,4236 Nessus: 10371
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Version 4.0 of IIS
installs a remotely accessible directory, /IISADMPWD - mapped to c:\winnt\system32\inetsrv\iisadmpwd, which
contains a number of vulnerable '.HTR' files. There are two known vulnerabilities. (1) These files were designed to
allow system administrators the ability to provide HTTP based password change services to network users. The
affected files are achg.htr, aexp*.htr, and anot*.htr. Requesting one of the listed .htr files returns a form that requests
the account name, current password, and changed password. (2) These files can be used as proxies for brute force
password attacks, or to identify valid users on the system. If the account does not exist, the message "invalid domain" is
returned - if it does, but the password change was unsuccessful, the attacker is notified. This can be used against the
server and against other machines connected to the network (LAN or the Internet), by preceding the account name with
an IP address and a backslash. For example : '192.168.1.10\Administrator'. The server contacts the networked machine
through the NetBIOS session port and attempts to change the password.
Signature ID: 100
Iis_bdir cgi vulnerability
Threat Level: Warning
Bugtraq: 2280 Nessus: 10577
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Version 3.0 came
with a series of remote administration scripts installed in /scripts/iisadmin off the web root directory. Version 3.0 of IIS
had an ism.dll file containing an authentication scheme to prevent unauthorized access. If an IIS 3.0 installation is
upgraded to IIS 4.0 without removing these scripts, they can be accessed remotely without authentication due to
changes in the authentication methods used by IIS 4.0. One of these scripts, bdir.htr, can be used in IIS 4.0 server by a
remote attacker to obtain information about the server's directory structure. The script displays only a listing of
subdirectories of the directory specified as part of a request. This information about the server's directory structure
could potentially be used in further attacks.