TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
450
Signature Description: The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in
Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the
application to fail or arbitrary code to be executed on the target system depending on the data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When called, they invoke a function called
Srv_paraminfo() to parse the input parameters.<br><br>A vulnerability lies in Srv_paraminfo() and the fact that it does
not check the length of the parameter string that an XP passes to it. If an attacker can pass an overly long string to the
XP xp_showcolv, a buffer overflow can occur due to an unsafe memory copy. This can cause SQL Server to crash. It is
also possible for attackers to execute arbitary code on the host running SQL server. <br><br>The minimum privilege
level that the account would have to possess are SYSTEM privileges. This vulnerability is confined to those who can
successfully log onto the SQL server. This rule detects the attempt to exploit this vulnerability.
Signature ID: 12076
MS-SQL xp_sprintf buffer overflow
Threat Level: Information
Industry ID: CVE-2001-0542 Bugtraq: 1024,3733
Signature Description: Microsoft SQL Server contains buffer overflows in several built-in text formatting and printing
functions. This vulnerability makes it possible for an attacker to execute arbitrary code in the security context of the
server process. An attacker can also exploit this vulnerability to crash the server. This rule detects an attempt to exploit
the vulnerability in xp_sprintf routine.
Signature ID: 12077
MS-SQL xp_updatecolvbm buffer overflow
Threat Level: Severe
Industry ID: CVE-2000-1084 Bugtraq: 2039
Signature Description: The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in
Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the
application to fail or arbitrary code to be executed on the target system depending on the data entered into the buffer.
<br>A vulnerability lies in Srv_paraminfo() and the fact that it does not check the length of the parameter string that an
XP passes to it. If an attacker can pass an overly long string to the XP xp_updatecolvbm, a buffer overflow can occur
due to an unsafe memory copy. This can cause SQL Server to crash. It may also be possible for attackers to execute
arbitrary code on the host running SQL Server. The attacker would need to overwrite the return address of the calling
function with the address of supplied shellcode in memory. This shellcode would be executed under the context of the
account that the SQL Server service was configured to run under. The minimum privilege level that the account would
have to possess are SYSTEM privileges. This vulnerability is confined to those who can successfully log onto the SQL
server. <br>This rule detects such an attempt to exploit this vulnerability.
Signature ID: 12080
MS-SQL/SMB shellcode attempt
Threat Level: Warning
Signature Description: This event is generated when an unauthorized user attempts to execute commands on SQL
database Server that may result in a loss of confidentiality, Availability and Integrity of data stored on the database.This
is a suspicious activity. An SQL database server that may result in a serious compromise of the data stored on that
system.
Signature ID: 12083
MS-SQL/SMB sp_password password change
Threat Level: Warning
Signature Description: This event is generated when an unauthorized user attempts to execute commands on SQL
database Server that may result in a loss of confidentiality, Availability and Integrity of data stored on the database.This