TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
567
corresponds to an existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum and any key
specified will be considered as valid and appended to this registry string by using wsprintfW call. Therefore providing
a large string of backslashes can overflow the buffer and can cause a denial of service or execution of attacker supplied
arbitary code. Administrators are advised to install the update mentioned in MS05-047.
Signature ID: 21076
Microsoft Windows DCOM RPC possible buffer overflow attempt
Threat Level: Critical
Industry ID: CVE-2003-0352 Bugtraq: 8205 Nessus: 11808
Signature Description: A vulnerability exits in Microsoft Windows RPC processing logic, which is unable to handle a
malformed RPC message. This vulnerability exists in Cisco Secure Access Control Server 3.1.1 and prior versions.
This vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC
enabled ports. Windows RPCSS service is unable to check message inputs under certain circumstances. After
establishing a connection, an attacker could send a specially crafted malformed RPC message to cause the underlying
Distributed Component Object Model (DCOM) process on the remote system to fail in such a way that arbitrary code
could be executed. To exploit this vulnerability, the attacker would require the ability to send a specially crafted request
to port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine. This rule is triggered
due to the attempt to access the vulnerable API.
Signature ID: 21077
Microsoft Windows DCOM RPC possible buffer overflow attempt (2)
Threat Level: Critical
Industry ID: CVE-2003-0352 Bugtraq: 8205 Nessus: 11808
Signature Description: A vunerability exits in Microsoft Windows RPC processing logic, which is unable to handle a
malformed RPC message. This vulnerability affects a Distributed Component Object Model (DCOM) interface with
RPC, which listens on RPC enabled ports. Windows RPCSS service is unable to check message inputs under certain
circumstances. After establishing a connection, an attacker could send a specially crafted malformed RPC message to
cause the underlying Distributed Component Object Model (DCOM) process on the remote system to fail in such a way
that arbitrary code could be executed. To exploit this vulnerability, the attacker would require the ability to send a
specially crafted request to port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote
machine. This rule is triggered due to the attempt to access the vulnerable API. (MS03-026)
Signature ID: 21083
A possible attempt to hack into the system using .WMF (with escape() function) (Any port)
Threat Level: Critical
Industry ID: CVE-2005-4560 Bugtraq: 16074
Signature Description: This rule detects an attempt to hack into the system by letting a user to download a specially
crafted WMF file (on any port) on Windows XP or Windows 2003 server. The WMF vulnerability uses images (WMF
images) to execute arbitrary code. This code executes by viewing the image. In most cases, user need not click
anything. Even images are stored on the system may cause the exploit to be triggered if it is indexed by any indexing
software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.
Signature ID: 21085
Windows TNEF Decoding vulnerability
Threat Level: Information
Industry ID: CVE-2006-0002
Bugtraq: 16197
Signature Description: Transport Neutral Encapsulation Format(TNEF) is a proprietary e-mail attachment format used
by Microsoft Outlook and Microsoft Exchange Server. An attached file with TNEF encoding is most usually called
winmail.dat or win.dat and has a MIME type of Application/MS-TNEF. A remote code execution vulnerability exists
in Microsoft Outlook and Microsoft Exchange Server because of the way that it decodes the Transport Neutral