TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
564
Signature ID: 21057
Internet Security Systems Protocol Analysis Module SMB Parsing Heap Overflow Vulnerability
Threat Level: Critical
Industry ID: CVE-2004-0193 Bugtraq: 9752
Signature Description: Internet Security Systems Protocol Analysis Module (PAM) component is vulnerable to a heap-
based buffer overflow, caused by a vulnerability in the parsing routines of the Server Message Block (SMB) protocol.
Certain protocol fields are not checked for size. If a legitimate SMB connection to the server is established, a remote
attacker might exploit this vulnerability under certain conditions to overwrite memory and execute arbitrary code on the
system. This rule hits for the attack pattern towards the destination port 139.
Signature ID: 21058
Microsoft SMB Hidden Share Access
Threat Level: Severe
Signature Description: Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates
a network share of every hard drive. The Administrative shares are the default shares created by Windows whose share
name contains the drive letter with a "$" at the end (ADMIN$). These shares will allow anyone who can authenticate as
any member of the local Administrators group access to the root directory of every hard drive on the system thus
accessing the share contents remotely. They are not generally used or useful outside of an enterprise environment. It is
advised to disable these hidden shares by editing the registry at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters and setting values of
'AutoShareServer' and 'AutoShareWks' to 0.
Signature ID: 21059
Microsoft SMB ADMIN$ Hidden Share Access
Threat Level: Severe
Signature Description: Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates
a network share of every hard drive. The Administrative shares are the default shares created by Windows whose share
name contains the drive letter with a "$" at the end (ADMIN$). These shares will allow anyone who can authenticate as
any member of the local Administrators group access to the root directory of every hard drive on the system thus
accessing the share contents remotely. They are not generally used or useful outside of an enterprise environment.
Allowing these shares to access remotely is a poor security practise. It is advised to disable these hidden shares by
editing the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
and setting values of 'AutoShareServer' and 'AutoShareWks' to 0.
Signature ID: 21062
Access to SMB share from External Network
Threat Level: Warning
Signature Description: This rule detects any attempt to access SMB share on a Windows/Linux host from External
Network. Giving share access without proper permissions can be treated as security risk.
Signature ID: 21063
Internet Security Systems Protocol Analysis Module SMB Parsing Heap Overflow Vulnerability
Threat Level: Critical
Industry ID: CVE-2004-0193
Bugtraq: 9752
Signature Description: Internet Security Systems Protocol Analysis Module (PAM) component is vulnerable to a heap-
based buffer overflow, caused by a vulnerability in the parsing routines of the Server Message Block (SMB) protocol.
Certain protocol fields are not checked for size. If a legitimate SMB connection to the server is established, a remote