TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
557
attacker could also add a .job file to a local file system or a network share and persuade the victim to view the folder
using Windows Explorer or use a program such as Internet Explorer that passes parameters to the vulnerable parameter
to exploit this vulnerability. Vulnerable platforms are Internet Explorer 6, Windows 2000 SP2, Windows 2000 SP3,
Windows 2000 SP4, Windows XP SP1, <br>Windows XP SP1 64-bit
Signature ID: 21012
Microsoft Windows Task Scheduler .job File Command Name Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0212 Bugtraq: 10708
Signature Description: Microsoft Windows Task Scheduler (Mstask.dll) is a COM-based API (ActiveX control) that
provides a scheduling service for executing arbitrary commands on a system. Task Scheduler saves tasks as files with
.job file name extensions. The scheduler contains a stack-based buffer overflow that can be triggered by an overlong
command in the .job file. By creating a malicious .job file with a large "to be executed" field the stack can be
overwritten allowing for remote command execution, when the file is parsed by mstask.dll. An attacker could exploit
this vulnerability by hosting the malicious file on a Web site or by sending it to a victim as an HTML email. The
attacker could also add a .job file to a local file system or a network share and persuade the victim to view the folder
using Windows Explorer or use a program such as Internet Explorer that passes parameters to the vulnerable parameter
to exploit this vulnerability via TCP over Port 139. Administrators are advised to install the updates mentioned in
MS04-022.
Signature ID: 21013
Microsoft Windows Task Scheduler .job File Command Name Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0212 Bugtraq: 10708
Signature Description: Microsoft Windows Task Scheduler (Mstask.dll) is a COM-based API (ActiveX control) that
provides a scheduling service for executing arbitrary commands on a system. Task Scheduler saves tasks as files with
.job file name extensions. The scheduler contains a stack-based buffer overflow that can be triggered by an overlong
command in the .job file. By creating a malicious .job file with a large "to be executed" field the stack can be
overwritten allowing for remote command execution, when the file is parsed by mstask.dll. An attacker could exploit
this vulnerability by hosting the malicious file on a Web site or by sending it to a victim as an HTML email. The
attacker could also add a .job file to a local file system or a network share and persuade the victim to view the folder
using Windows Explorer or use a program such as Internet Explorer that passes parameters to the vulnerable parameter
to exploit this vulnerability via TCP Port 445. Administrators are advised to install the updates mentioned in MS04-
022.
Signature ID: 21014
DCE Services Enumeration
Threat Level: Information
Nessus: 10736
Signature Description: DCE services running on the remote server can be enumerated by connecting on port 135 and
doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host.
Signature ID: 21016
Microsoft's SQL Version Info UDP Query
Threat Level: Information
Nessus: 10674
Signature Description: There is a provision in some older versions of MS SQL to support remote query for the server
version. This information may be useful for an attacker to plan an attack properly. Access to such traffic from outside
should be disabled at server level. This rule hits when IPS device detects a UDP packet for MS SQL server version
query from outside.