TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

441

442

443

444

445

446

447

448

449

450

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

448

Signature ID: 12065

MS-SQL sp_start_job program execution

Threat Level: Information

Signature Description: This event is generated when an unauthorized user attempts to execute commands or programs

on SQL database Server that may result in a loss of confidentiality,Availability and Integrity of data stored on the

database. sp_start_job instructs SQL Server Agent to execute a job immediately, and this rule detects such an

instruction to execute the program.

Signature ID: 12067

MS-SQL xp_cmdshell - program execution

Threat Level: Information

Signature Description: This event is generated when an unauthorized user attempts to execute command or program on

SQL database Server that may result in a loss of confidentiality, Availability and Integrity of data stored on the

database.This is a suspicious activity. This signature triggers on using the TCP port 1433.

Signature ID: 12068

MS-SQL xp_cmdshell program execution 445

Threat Level: Information

Signature Description: This event is generated when an unauthorized user attempts to execute command or program on

SQL database Server that may result in a loss of confidentiality, Availability and Integrity of data stored on the

database.This is a suspicious activity. This signature triggers on using the TCP port 445.

Signature ID: 12069

MS-SQL xp_displayparamstmt buffer overflow

Threat Level: Information

Signature Description: MS-SQL server suffers from multiple buffer overflow vulnerabilities. It is unable to check the

length of the buffer before passing it to the routine xp_displayparamstmt routine. An attacker can exploit this

vulnerabilitiy by sending a specially crafted message, to cause the SQL server to crash, and my execute arbitary shell

code on the target machine. This rule detects an attempt to exploit this vulnerability.<br>

Signature ID: 12070

MS-SQL xp_enumresultset buffer overflow

Threat Level: Information

Industry ID: CVE-2000-1082 Bugtraq: 2031

Signature Description: The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in

Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the

application to fail or arbitrary code to be executed on the target system depending on the data entered into the buffer.

XPs are DLL files that perform high level functions in SQL Server. When called, they invoke a function called

Srv_paraminfo() to parse the input parameters.<br><br>A vulnerability lies in Srv_paraminfo() and the fact that it does

not check the length of the parameter string that an XP passes to it. If an attacker can pass an overly long string to the

XP xp_enumresultset, a buffer overflow can occur due to an unsafe memory copy. This can cause SQL Server to crash

and attacker may be able to execute arbitary shell code on the host running the SQL server. The minimum privilege

level that the account would have to possess are SYSTEM privileges.

Signature ID: 12071

MS-SQL xp_peekqueue buffer overflow

Threat Level: Information

Industry ID: CVE-2000-1085

Bugtraq: 2040