TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
577
excessively long requests to the 'PROPFIND' or 'SEARCH' variables, the IIS service will fail. All current web, FTP,
and email sessions will be terminated. IIS will automatically restart and normal service will resume.
Signature ID: 21134
MS Excel Remote Code Execution Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-3059 Bugtraq: 18422
Signature Description: Microsoft Excel is vulnerable to a buffer overflow. By creating a malicious Excel file, a remote
attacker could overflow a buffer and execute arbitrary code on the system with privileges of the user, once the Excel
file is opened. An attacker could exploit this vulnerability by sending the malicious file to a victim as an email
attachment or hosting it on a Web site and persuading victim to visit that page. Successfully exploiting this issue allows
attackers to execute arbitrary code in the context of targeted users. Vulnerable platforms are Microsoft Excel 2000,
Excel 2002, Excel 2003, Excel 2004 Mac OS, Excel XP, Excel Viewer 2003, Office 2000 SP3, Office 2003 SP1,
Office 2003 SP2, Office 2004, Office X Mac OS, Office XP SP3.<br>
Signature ID: 21135
Microsoft IE CreateTextRange Remote Code Execution Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-1359 Bugtraq: 17196
Signature Description: Microsoft Internet Explorer 5.0.1 is vulnerable to remote code-execution vulnerability. This
issue is due to a flaw when calling createTextRange() method with "Checkbox" object that results in an invalid table-
pointer de-reference. Remote attackers may exploit this issue to crash affected browsers or to execute arbitrary machine
code in the context of affected users. In order to exploit, the attacker has to persuade victims to visit the malicious web
page.
Signature ID: 21136
Microsoft Windows Message Queuing Remote Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-0059 Bugtraq: 13112
Signature Description: Microsoft Message Queuing (MSMQ) technology enables Windows based applications that are
running at different times to communicate across heterogeneous networks and across systems that may be temporarily
offline. Applications contact MSMQ server and communication between them can happen via RPC or HTTP based
delivery. A buffer overflow vulnerability exists in the way the MSMQ server does not properly check the messages
received via RPC. An attacker could try to exploit the vulnerability by creating a specially crafted message and sending
the message to vulnerable MSMQ server. Successful exploitation of the vulnerability results in execution of arbitrary
code with SYSTEM privileges.
Signature ID: 21201
SMB NT Create AndX Request issued over \winreg
Threat Level: Warning
Signature Description: This rule detects NT Create AndX request that is issued on \winreg. WinReg requests can be
taken to obtain very granular information about the remote system registry. To transmit this request to a target machine,
an authenticated session must be established using the standard 'Session Setup AndX SMB' request. After that, a 'Tree
Connect AndX' to the IPC$ share should be issued, followed by a 'NT Create AndX' request on the \winreg named pipe
can be issued. Once the request is handled successfully the returned file descriptor can be used for the DCERPC bind
request to the winreg's UUID. Once this bind request is completed successfully, the attacker can request sensitive
information about the Windows Registry.