TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
215
attempting to calculate the buffer space allowed for copying the base url. This also leads to a heap based overflow
when the string provided as first parameter is concatenated onto the end of the BaseUrl. Successful exploitation could
execute arbitrary code with the privileges of the user logged on to the target machine. An attacker could exploit this
vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email.
Administrators are advised to install the updates mentioned in MS04-038.
Signature ID: 1461
Microsoft Internet Explorer ShowModalDialog Security Zone Bypass Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0549
Bugtraq: 10472,10473
Signature Description: Internet Explorer security zones are part of a system that divides online content into categories
or zones that are based on the trustworthiness of the content. Specific Web domains can be assigned to a zone,
depending on how much trust is placed in the content of each domain. The zone then restricts the capabilities of the
Web content, based on the zone's policy. By exploiting this vulnerability, java script can be injected and can be
executed within the victim's "My Computer" security zone. An IFRAME object is created for a web page which will
change its security zone by making use of the Location: weakness. When the location of the content of a frame is
changed with an HTTP redirect response, a modal dialog box that was called from the frame before the redirect will
return a cached reference to the frame's original domain. IE then incorrectly considers the cached domain instead of the
redirected domain when determining the security domain of the modal dialog box. Also, since the contents of the frame
have been changed by the redirect, it is possible to set the location object of the frame. By redirecting to a local
resource, controlling the timing of the redirect, and setting the frame's location to a javascript: protocol URL, an
attacker can execute script in the security context of the Local Machine Zone. Scob Trojan, Download.Ject, Toofeer,
Berbew, IE ILookup Trojans make use of this vulnerability to affect systems. Administrators are advised to install the
updates mentioned in MS04-025.
Signature ID: 1462
RealNetworks RealOnePlayer and RealPlayer PNen3260.DLL Integer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-1481 Bugtraq: 11309
Signature Description: RealPlayer is an application for playing various media formats, developed by RealNetworks
Inc. RealPlayer 10.5 and prior versions are vulnerable to arbitrary code execution vulnerability. An integer overflow
vulnerability exists in pnen3260.dll file which handles .rm files in Real Player. The vulnerability is triggered by setting
the length field of the VIDORV30 data chunk to a large value. Remote attackers could exploit this vulnerability to
execute arbitrary code on an affected system by enticing a victim to play a specially crafted SMIL file that contains a
link to malicious .rm file. Users are advised to upgrade to newer version of real player.
Signature ID: 1463
Winamp Fasttracker 2 Plug-In in_mod.dll Overflow Vulnerability
Threat Level: Information
Industry ID: CVE-2004-1896 Bugtraq: 10045
Signature Description: This rule gets hit when an attempt is made to download Extended Module files (.XM) from
Internet. NullSoft Winamp versions 5.02 and prior is vulnerable to a heap overflow while processing a XM media file.
The vulnerability specifically exists in 'in_mod.dll' component which is responsible for loading the XM files. By
creating a specially crafted XM file with fields containing long values and convincing a user to load the file in
Winamp, buffer can be overflown to execute arbitrary code. Users are advised to upgrade to newer version of Winamp.
Signature ID: 1501
Apache 2.0 Encoded Backslash Directory Traversal Vulnerability
Threat Level: Information
Industry ID: CVE-2002-0661
Bugtraq: 5434 Nessus: 11092