TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
563
Signature ID: 21052
Samba 'Call_trans2open()' Remote Buffer Overflow Vulnerability
Threat Level: Critical
Industry ID: CVE-2003-0201
Bugtraq: 7294 Nessus: 11523
Signature Description: Samba is an open source implementation of SMB/CIFS protocol for UNIX flavors. Samba TNG
is a forked development branch of Samba which provides file, print, and login services for various Microsoft Windows
clients. Samba versions prior to 2.2.8a and Samba-TNG versions prior to 0.3.2 are vulnerable to a remotely exploitable
buffer overflow. The vulnerability specifically exists in the file 'trans2.c' in which the function strncpy tries to copy the
data in a Trans2 request to a local buffer of 1024 bytes. By supplying a crafted and excessively long SMB request that
is morethan 1024 bytes, a remote attacker may crash the server or execute arbitrary code with Samba application
privileges which is by default root. Upgrade or patch to Samba 2.2.8a or Samba-TNG 0.3.2 provided by your vendor.
Signature ID: 21053
Repeated logon failure while acessing SMB share
Threat Level: Critical
Signature Description: Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates
a network share of every hard drive. The Administrative shares are the default shares created by Windows whose share
name contains the drive letter with a "$" at the end. These shares will allow anyone who can authenticate as any
member of the local Administrators group access to the root directory of every hard drive on the system thus accessing
the share contents remotely. This rule indicates that multiple failed attempts have been made to access an SMB network
share. This may indicate a determined effort by an unauthorized user to access information and data on a network
share. This rule will trigger when the attacker tries to access Repeated login access through SMB port 445.
Signature ID: 21054
Mirosoft WINS buffer overflow TCP
Threat Level: Information
Industry ID: CVE-2003-0825 Bugtraq: 9624 Nessus: 12051,15912
Signature Description: The Windows Internet Naming Service (WINS) maps IP addresses to NETBIOS computer
names. There is a vulnerability in the way WINS validates the length of specially crafted packets. This could allow an
attacker to cause WINS to crash or execute arbitrary code. According to Microsoft, this vulnerability will only cause a
denial of service on Windows Server 2003.
Signature ID: 21055
Microsoft WINS buffer overflow UDP
Threat Level: Information
Industry ID: CVE-2003-0825 Bugtraq: 9624 Nessus: 12051,15912
Signature Description: The Windows Internet Naming Service (WINS) maps IP addresses to NETBIOS computer
names. There is a vulnerability in the way WINS validates the length of specially crafted packets. This could allow an
attacker to cause WINS to crash or execute arbitrary code. According to Microsoft, this vulnerability will only cause a
denial of service on Windows Server 2003. While the vulnerable code exists in Windows NT and Windows 2000,
WINS will reject the specially crafted packet thus not causing a denial of service.
Signature ID: 21056
SMB Session Setup AndX request unicode username overflow
Threat Level: Critical
Bugtraq: 9752
Signature Description: A buffer overflow vulnerability exists in ISS RealSecure and BlackICE products. This
vulnerability can be exploited by an attacker by sending a single SMB packet containing an AccountName greater than
300 bytes. When it is exploited, attacker can run arbitary code on the host that is running these ISS products.