TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

551

552

553

554

555

556

557

558

559

560

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

559

Signature Description: Microsoft Windows Messenger Service is prone to a remotely exploitable buffer overrun

vulnerability. This is due to insufficient bounds checking of messages before they are passed to an internal buffer.

Exploitation could result in a denial of service or in execution of malicious code in Local System context, potentially

allowing for full system compromise.

Signature ID: 21032

NS lookup response name overflow

Threat Level: Information

Industry ID: CVE-2004-0444 CVE-2004-0445 CVE-2004-0444 Bugtraq: 10333,10334

Signature Description: There is a vulnerability in the way the Symantec Firewall handles NetBIOS Name Service

response packets. If an attacker crafts a malicious UDP NetBIOS Name Service unsolicited response to a vulnerable

Symantec Firewall that does not block port 137, it is possible to cause a heap overflow and execute abitrary code with

kernel privileges.

Signature ID: 21033

Symantec Client Firewall NetBIOS Name Service Response Buffer Overflow Vulnerability

Threat Level: Information

Industry ID: CVE-2004-0444 CVE-2004-0445 CVE-2004-0444 Bugtraq: 10333,10334,10335

Signature Description: Symantec offers a suite of corporate and consumer security products including a firewall

application which includes SYMDNS.SYS driver, which is responsible for validating DNS and NBNS (NetBios Name

Service) responses. A buffer overflow vulnerability exists in the way the Symantec Firewall handles NetBIOS Name

Service response packets. If an attacker crafts a malicious UDP NetBIOS Name Service unsolicited response to a

vulnerable Symantec Firewall that does not block port 137, it is possible to cause a heap overflow and execute arbitrary

code with kernel privileges.

Signature ID: 21034

Microsoft Windows Share Access Using NULL session

Threat Level: Warning

Industry ID: CVE-1999-0519 CVE-1999-0520 Nessus: 10396

Signature Description: NETBIOS Null sessions allow browsing the Windows hosts by the "Network Neighborhood"

and other functions. A Null session permits access to a host using a blank user name and password. An attacker may

attempt to establish a Null session connection, and may try to access sensitive information about the target host such as

available shares and user names.

Signature ID: 21035

Microsoft SMB ADMIN$ Hidden Share Access

Threat Level: Severe

Signature Description: Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates

a network share of every hard drive. The Administrative shares are the default shares created by Windows whose share

name contains the drive letter with a "$" at the end (ADMIN$). These shares will allow anyone who can authenticate as

any member of the local Administrators group access to the root directory of every hard drive on the system thus

accessing the share contents remotely. They are not generally used or useful outside of an enterprise environment.

Allowing these shares to access remotely is a poor security practise. It is reommanded to disable these hidden shares by

editing the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters

and setting values of 'AutoShareServer' and 'AutoShareWks' to 0.