TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
578
Signature ID: 21202
Microsoft PPTP Service Malformed Control packet DOS
Threat Level: Information
Industry ID: CVE-2002-1214 Bugtraq: 5807
Signature Description: Point-to-Point Tunneling Protocol (PPTP) is an industry standard protocol (defined in RFC
2637) that enables users to create and use virtual private networks (VPNs). Through VPN technologies such as PPTP,
users can create secure connections to a remote network, even though the data may transit insecure networks like the
Internet. A security vulnerability exists in the Windows 2000 and Windows XP implementations of Microsoft PPTP
because of an unchecked buffer in a section of code that processes the control data used to establish, maintain and tear
down PPTP connections. By delivering specially malformed PPTP control data to an affected server, an attacker could
corrupt kernel memory and cause the system to fail, disrupting any work in progress on the system. Normal operation
on any attacked system could be restored by restarting the system. This signature checks the PPTP message type part of
the header for a malformed value.
Signature ID: 21203
SMB NT Create AndX Request issued over \srvsrc
Threat Level: Information
Signature Description: This rule detects 'NT Create AndX' request that is issued on \srvsvc (microsoft Server Service).
Srvsvc requests can be used to obtain very granular information about the remote system details. To transmit this
request to a target machine, an authenticated session must be established using the standard Session Setup AndX SMB
request, and then a Tree Connect AndX to the IPC$ share. Then a NT Create AndX request can be issued on the \srvsvc
named pipe. Once the request is handled successfully the returned file descriptor can be used for the DCERPC bind
request to the srvsvc's UUID. Once this bind request is completed successfully, the attacker can request sensitive
information about the Windows machine.
Signature ID: 21204
Microsoft PPTP Service Malformed Control packet DOS
Threat Level: Information
Industry ID: CVE-2002-1214 Bugtraq: 5807
Signature Description: Point-to-Point Tunneling Protocol (PPTP) is an industry standard protocol (defined in RFC
2637) that enables users to create and use virtual private networks (VPNs). Through VPN technologies such as PPTP,
users can create secure connections to a remote network, even though the data may transit insecure networks like the
Internet. A security vulnerability exists in the Windows 2000 and Windows XP implementations of Microsoft PPTP
because of an unchecked buffer in a section of code that processes the control data used to establish, maintain and tear
down PPTP connections. By delivering specially malformed PPTP control data to an affected server, an attacker could
corrupt kernel memory and cause the system to fail, disrupting any work in progress on the system. Normal operation
on any attacked system could be restored by restarting the system. This signature checks the Control Message Type
part of the header for a malformed value.
Signature ID: 21704
Microsoft RPC Locator Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2003-0003
Bugtraq: 6666
Signature Description: A buffer overflow vulnerability in the Microsoft Windows Locator service could allow a remote
attacker to execute arbitrary code or cause the Windows Locator service to fail.The buffer overflow can be caused by
searching entry names for bindings for a very long string. The vulnerability exists in an insecure call to wcspy().