TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
212
AVI files contain multiple streams of different types of data. The stream name chunk (strn) contains a name for the
stream. Windows Media Player uses QUARTZ.DLL (DirectShow runtime library) to decode and play AVI movie files.
Attackers could craft a malicious AVI file that has a malformed stream name chunk (strn) and a special length field
value and when this file is processed by DirectShow due to lack of validation, QUARTZ can be made to store a null
byte to an arbitrary memory location. This actually affects the heap management code allowing attackers to modify the
heap block header and write a null byte, and other instructions, to arbitrary memory. Successful exploitation will permit
execution of arbitrary code in the context of the user who opens the malicious avi file. Administrators are advised to
install the patches mentioned in MS05-050 bulletin.
Signature ID: 1452
Microsoft Windows Graphics Rendering Engine WMF/EMF Integer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-2123 Bugtraq: 15352
Signature Description: The Microsoft Windows Graphics Rendering Engine supports a number of image formats
including Windows Metafile (WMF) and Enhanced Meta file (EMF). Windows Meta file (WMF) is a graphics file
format on Microsoft Windows systems. It is a vector graphics format which also allows the inclusion of raster graphics.
WMF is a 16-bit format introduced in Windows 3.0, a newer 32-bit version with additional commands is called
Enhanced Meta file (EMF). A WMF/EMF file stores a list of function calls that have to be issued to the Windows
graphics layer GDI in order to restore the image. Graphics rendering engine in Windows is vulnerable to several integer
overflows while processing specially crafted WMF/EMF files. The flaw is due to improper validation on the original
header values in a WMF/EMF file. Therefore large header values could result in an integer overflow during the size
calculation. This mis-represented integer may then be used to allocate stack space, resulting in a buffer overflow when
the data is copied. An attacker could exploit this vulnerability by sending the malicious image to a victim as an email
attachment and tricking the victim into opening the attachment or by hosting it on a Web site and persuading the victim
to visit the Web site.
Signature ID: 1453
Microsoft Windows Graphics Rendering Engine WMF/EMF Integer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-2123 Bugtraq: 15352
Signature Description: The Microsoft Windows Graphics Rendering Engine supports a number of image formats
including Windows Meta file (WMF) and Enhanced Meta file (EMF). Windows Meta file (WMF) is a graphics file
format on Microsoft Windows systems. It is a vector graphics format which also allows the inclusion of raster graphics.
WMF is a 16-bit format introduced in Windows 3.0, a newer 32-bit version with additional commands is called
Enhanced Meta file (EMF). A WMF/EMF file stores a list of function calls that have to be issued to the Windows
graphics layer GDI in order to restore the image. Graphics rendering engine in Microsoft Windows 2000 SP4, 2003
SP1, XP SP2 and prior service packs versions are vulnerable to several integer overflows while processing specially
crafted WMF/EMF files. The flaw is due to improper validation on the original header values in a WMF/EMF file.
Therefore large header values could result in an integer overflow during the size calculation. This mis-represented
integer may then be used to allocate stack space, resulting in a buffer overflow when the data is copied. An attacker
could exploit this vulnerability by sending the malicious image to a victim as an email attachment and tricking the
victim into opening the attachment or by hosting it on a Web site and persuading the victim to visit the Web site.
Signature ID: 1454
Microsoft Windows Client/Server Runtime Server Subsystem Stack Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-2118
CVE-2005-2122 CVE-2005-0551 Bugtraq: 15069,15070,13115
Signature Description: The Win32 application-programming interface (API) offers a console windows feature that
provides a means to implement command-line and other character-based user interfaces. Console windows are
managed by Client/Server Runtime Server (csrss.exe) subsystem, specifically by code inside winsrv.dll. This module