TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
561
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters and setting values of
'AutoShareServer' and 'AutoShareWks' to 0.
Signature ID: 21043
Microsoft SMB C$ Hidden Share Access
Threat Level: Severe
Signature Description: This rule hits when attempt towards 139 destination port.Every Windows NT based Microsoft
Windows system (NT/2K/XP/2003) automatically creates a network share of every hard drive. The Administrative
shares are the default shares created by Windows whose share name contains the drive letter with a "$" at the end (For
example, C$). These shares will allow anyone who can authenticate as any member of the local Administrators group
access to the root directory of every hard drive on the system thus accessing the share contents remotely. They are not
generally used or useful outside of an enterprise environment. Allowing these shares to access remotely is a poor
security practise. It is recommanded to disable these hidden shares by editing the registry at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters and setting values of
'AutoShareServer' and 'AutoShareWks' to 0.
Signature ID: 21044
Microsoft SMB C$ Hidden Share Access
Threat Level: Severe
Signature Description: Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates
a network share of every hard drive. The Administrative shares are the default shares created by Windows whose share
name contains the drive letter with a "$" at the end (For example, C$). These shares will allow anyone who can
authenticate as any member of the local Administrators group access to the root directory of every hard drive on the
system thus accessing the share contents remotely. They are not generally used or useful outside of an enterprise
environment. Allowing these shares to access remotely is a poor security practise. It is recommanded to disable these
hidden shares by editing the registry at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters and setting values of
'AutoShareServer' and 'AutoShareWks' to 0.
Signature ID: 21045
Mirosoft Windows Workstation Service Remote Buffer Overflow Vulnerability
Threat Level: Critical
Industry ID: CVE-2003-0812 Bugtraq: 9011 Nessus: 11921
Signature Description: A remote buffer overflow vulnerability exists in the Windows Workstation Service
(WKSSVC.DLL). This buffer overflow bug is within network management functions provided by the DCE/RPC
service. A logging function vsprintf() in WKSSVC.DLL is used to write entries to the log file. Due to lack of bound
checking on the parameters being sent to vsprintf(), large string can overflow the limited buffer. A remote attacker that
can send a specially-crafted network message to the vulnerable system could exploit this vulnerability to execute
arbitrary code with system privileges.
Signature ID: 21046
Mirosoft Windows Workstation Service Remote Buffer Overflow Vulnerability
Threat Level: Information
Industry ID: CVE-2003-0812
Bugtraq: 9011 Nessus: 11921
Signature Description: A remote buffer overflow vulnerability exists in the Windows Workstation Service
(WKSSVC.DLL). This buffer overflow vulnerability is within network management functions provided by the
DCE/RPC service. A logging function vsprintf() in WKSSVC.DLL is used to write entries to the log file. Due to lack
of bound checking on the parameters that are being sent to vsprintf(), a large string can overflow the buffer. A remote
attacker that can send a specially-crafted network message to the vulnerable system could exploit this vulnerability to
execute arbitrary code with system privileges.