TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
558
Signature ID: 21017
Microsoft Windows Shell DUNZIP32.DLL Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0575 Bugtraq: 11382
Signature Description: Microsoft Windows XP and Windows Server 2003 feature the ability to native handle zip files
through the Compressed (zipped) Folders feature. This facility is handled by DUNZIP32.DLL in Windows shell. A
remote code execution vulnerability exists in Compressed (zipped) Folders because of an unchecked buffer in the way
that it handles specially crafted compressed files. When it processes a specially crafted compressed file containing files
with names that are too long, the program overwrites memory, causing a buffer to overflow. By creating a malicious
compressed file, a remote attacker could overflow the buffer and execute arbitrary code on the system with system
privileges, once the file is processed. An attacker could exploit this vulnerability by hosting the malicious file on a Web
site or by sending it to a victim as an HTML email. Vulnerable platforms are Microsoft, Windows 2003 Server x64,
Windows 2003 Server, Windows XP 2003 64-bit, <br>Windows XP SP1, Windows XP, Windows XP SP1 64-bit.
Signature ID: 21019
Using NetBIOS to retrieve information from a Windows host
Threat Level: Information
Industry ID: CVE-1999-0621 Nessus: 10150
Signature Description: This rule tries to detect NetBios "nbstat" special frame requests from external network. If port
137 is open on UDP, a remote attacker may send braodcast name service request (* followed by Null characters in
Name field) which requests the node to list the NetBios Name Table known to it. This table contains the much needed
information for a hacker/worms to continue further. Worm 911 and Network.VBS are two best examples of making use
of this facility.
Signature ID: 21023
Windows NetBus Pro 2.x Vulnerability
Threat Level: Information
Signature Description: NetBus Pro is a remote administration and spy tool for Windows 95/98 or Windows NT4
consisting of a server and client. The server is installed on the host which is to be remotely administered and the client
is used to access the server from a remote location. NetBus Pro has improved features from its predecessor, which
include a remote file manager, registry manager and application redirector, plus the ability to capture screen shots,
typed characters and camera images. By default, NetBus Pro is accessible on port 20034 with no password. An attacker
may access NetBus on this port to determine if NetBus is installed and determine if a password has been set.
Signature ID: 21030
Messenger message little endian overflow
Threat Level: Information
Industry ID: CVE-2003-0717
Bugtraq: 8826 Nessus: 11888,11890
Signature Description: A vulnerability exists in Microsoft RPC DCOM such that execution of arbitrary code or a
Denial of Service condition can be issued against a host by sending malformed data via RPC. The Distributed
Component Object Model (DCOM) handles DCOM requests sent by clients to a server using RPC. A malformed
request to an RPC port will result in a buffer overflow condition that will present the attacker with the opportunity to
execute arbitrary code with the privileges of the local system account.
Signature ID: 21031
Microsoft Windows Messenger Service Buffer Overrun
Threat Level: Information
Industry ID: CVE-2003-0717 Bugtraq: 8826 Nessus: 11888,11890