TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
233
Signature ID: 1733
Microsoft Windows ntdll.dll Buffer Overflow with IIS WebDAV request vulnerability
Threat Level: Information
Industry ID: CVE-2003-0109
Bugtraq: 7116 Nessus: 11413,11412
Signature Description: Microsoft Windows contains ntdll.dll which is a core operating system component used to
interact with the Windows kernel. A buffer overflow vulnerability exists in ntdll.dll and this can be exploited by using
WebDAV component of Microsoft IIS. The IIS WebDAV component utilizes ntdll.dll when processing incoming
WebDAV requests. By sending a specially crafted WebDAV request to an IIS 5.0 server, an attacker may be able to
execute arbitrary code in the Local System security context, essentially giving the attacker complete control of the
system. Many other applications that can make use of ntdll.dll can also exploit this vulnerability. This rule looks for
exploitation of this vulnerability by a specially crafted WebDAV request to IIS server.
Signature ID: 1734
Microsoft Windows ntdll.dll Buffer Overflow with IIS WebDAV request vulnerability
Threat Level: Information
Industry ID: CVE-2003-0109 Bugtraq: 7116 Nessus: 11413,11412
Signature Description: Microsoft Windows contains ntdll.dll which is a core operating system component used to
interact with the Windows kernel. A buffer overflow vulnerability exists in ntdll.dll and this can be exploited by using
WebDAV component of Microsoft IIS. The IIS WebDAV component utilizes ntdll.dll when processing incoming
WebDAV requests. By sending a specially crafted WebDAV request to an IIS 5.0 server, an attacker may be able to
execute arbitrary code in the Local System security context, essentially giving the attacker complete control of the
system. Many other applications that can make use of ntdll.dll can also exploit this vulnerability. This rule looks for
exploitation of this vulnerability by a specially crafted WebDAV request to IIS server. This signature triggers when an
attacker request 'search' and 'Host' with the long string (more than 255).
Signature ID: 1735
Microsoft IIS Extensions WebDAV LOCK method Denial of Service Vulnerability
Threat Level: Information
Industry ID: CVE-2001-0337 Bugtraq: 2736
Signature Description: WebDAV extensions are used by administrators to manage and edit Web content remotely in
Microsoft Internet Information Services. The WebDav extensions (httpext.dll) for Internet Information Server 5.0
contain a flaw that could allow a malicious user to consume all available memory on the server. The server will run out
of memory and crashes if requests for non-existing files are sent by LOCK method. Apply the appropriate patch, as
listed in Microsoft security bulletinsMS01-014 and MS01-016.
Signature ID: 1736
Microsoft Site Server _mem_bin directory access Vulnerability
Threat Level: Information
Nessus: 11032
Signature Description: Microsoft Site Server 3.0 for Windows NT servers allows users to publish, find, and share
information.This rule generates an event when an attacker tries to access _mem_bin directory of Site Server 3.0. The
Site Server installation places a few ASPs and DLLs in the _mem_bin directory in the \wwwroot\. Some ASP pages in
this directory reveal default LDAP schema including host and port.
Signature ID: 1738
Microsoft IIS 4.0 IISADMPWD Proxied Password Vulnerability
Threat Level: Information
Industry ID: CVE-1999-0407
Bugtraq: 2110
Signature Description: This rule gets hit when an attempt is made to request an HTTP-based password change via