TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
446
database if the password has not been manually changed.This event is triggered when an attempt is made to access a
host running Microsoft SQL Server or utilizing MSDE via the default "sa" account. This event just reports the activity
as suspicious.
Signature ID: 12055
SQL Slammer Worm Traffic
Threat Level: Severe
Industry ID: CVE-2002-0649 Bugtraq: 5311
Signature Description: The SQL slammer worm is a computer worm that can cause a vulnerable Microsoft SQL Server
2000 compromise. This worm propagates by exploiting a stack overflow vulnerability in SQL Server Resolution
Service of SQL Server 2000. The worm sends a 376 byte long UDP packet to port 1434 using random targets at a very
high rate. It seeks to replicate itself and does not try to further compromise servers or retain access to compromised
hosts. This worm is also known as W32/SQLSlam-A, Sapphire, New SQL, Worm.SQL, and Helkern. The worm is so
small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove the worm
by restarting SQL Server. The signature is identifying traffic based on protocol, destination port and application data
content. The machine would likely be re-infected if proper patch is not applied to the server or access to UDP port 1434
is blocked by a firewall. Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS02-039.
Signature ID: 12056
Microsoft SQL Server 2000 Resolution Service Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2002-0649 CVE-2002-0649 Bugtraq: 5310,5311
Signature Description: A vulnerability in the SQL Server Resolution Service makes it possible for a remote user to
execute arbitrary code on a vulnerable host. An attacker could exploit a stack-based overflow in the resolution service
by sending a maliciously crafted UDP packet to port 1434. Veritas Software Backup Exec for Windows Servers 9.0,
Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 SP2, Microsoft SQL Server 2000 SP1,
Microsoft SQL Server 2000 and Microsoft Data Engine 2000 are vulnerable to stackbased buffer overflow.
Signature ID: 12057
MS-SQL probe response overflow vulnerability
Threat Level: Warning
Industry ID: CVE-2003-0903
Bugtraq: 9407
Signature Description: Microsoft Data Access Components(MDAC) is a framework of interrelated Microsoft
technologies that allows programmers a uniform and comprehensive way of developing applications that can access
almost any data store. Microsoft Data Access Components (MDAC) 2.5 through 2.8 are vulnerable to a buffer
overflow, caused by improper bounds checking in a specific MDAC component. A remote attacker spoofs a SQL
server that listens on a network for a vulnerable system to send a broadcast request, the attacker could then send a
specially-crafted UDP packet in response to a request to overflow a buffer, because after received request it is not
validating properly, then execute code on the system with privileges of the process executing MDAC.
Signature ID: 12058
MS-SQL raiserror possible buffer overflow
Threat Level: Information
Industry ID: CVE-2001-0542 Bugtraq: 3733
Signature Description: Microsoft SQL Server contains buffer overflows in several built-in text formatting and printing
functions.This vulnerability makes it possible for an attacker to execute arbitrary code in the security context of the
server process. An attacker can also exploit this vulnerability to crash the server.