TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
204
Signature ID: 1422
HTML Winhlp32.exe Remote Buffer Overflow Vulnerability
Threat Level: Critical
Industry ID: CVE-2002-0823 Bugtraq: 4857
Signature Description: HTML Help makes use of the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help
ActiveX control is used to provide navigation features (such as a table of contents), to display secondary windows and
pop-up definitions, and to provide other features. Some features, as with the WinHlp Command, provided by the
HTML Help ActiveX control are meant to be available only when it is used from a compiled HTML Help file (.chm)
that is displayed by using the HTML Help Viewer. Winhlp32.exe is vulnerable to a buffer over run attack using the
Item parameter within WinHlp Command, the item parameter is used to specify the file path of the WinHelp (.hlp) file
in which the WinHelp topic is stored, and the window name of the target window. Using this overrun, an attacker can
successfully execute arbitrary code on a remote system by encouraging the victim to visit a particular web page.
Signature ID: 1423
Microsoft Internet Explorer DHTML Engine Race Condition Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-0553 Bugtraq: 13120
Signature Description: Dynamic HTML (DHTML) extends static HTML pages to allow interactive web pages to be
easily created. Microsoft Internet Explorer versions 5.01, 5.5, and 6 could allow a remote attacker to execute arbitrary
code caused by a race condition when Dynamic HTML (DHTML) objects are processed. The DHTML Object Model
(DOM) specification allows users to create browser windows in addition to other elements. When a new browser
window is created, it is possible to refer to the parent window from the newly opened window. A race condition occurs
in Microsoft Internet Explorer (IE) when both the child and parent windows try to occupy the same memory due to
improper IE DOM implementation that incorrectly manages threads. Under these conditions it is possible to insert
arbitrary code, and have it run in the context of the web browser that is parsing the DHTML. An attacker could exploit
this vulnerability by creating a malicious Web page or an HTML e-mail message and then persuading the user to visit
the page or to view the HTML e-mail message. An attacker who successfully exploited this vulnerability could take
complete control of the affected system. Install the updates mentioned in Microsoft Security Bulletin MS05-020.
Signature ID: 1424
Windows Shell code vulnerability
Threat Level: Warning
Signature Description: This rule gets hit when an external web server sends windows shell code to a client in internal
network. This can be considered as a symptom of accessing a malicious file.
Signature ID: 1425
Microsoft Internet Explorer DHTML Object Race Condition Memory Corruption Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-0553 Bugtraq: 13120
Signature Description: Dynamic HTML (DHTML) extends static HTML pages to allow interactive web pages to be
easily created. Microsoft Internet Explorer versions 5.01, 5.5, and 6 could allow a remote attacker to execute arbitrary
code caused by a race condition when Dynamic HTML (DHTML) objects are processed. The DHTML Object Model
(DOM) specification allows users to create browser windows in addition to other elements. When a new browser
window is created, it is possible to refer to the parent window from the newly opened window. A race condition occurs
in Microsoft Internet Explorer (IE) when both the child and parent windows try to occupy the same memory due to
improper IE DOM implementation that incorrectly manages threads. Under these conditions it is possible to insert
arbitrary code, and have it run in the context of the web browser that is parsing the DHTML. This rule specifically
looks for NULL element insertion. This can lead to random crashes and remote command execution. An attacker could