TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
656
Signature Description: Microsoft SQL Server is a relational database management system (RDBMS) produced by
Microsoft. SQL Server 2000 and MSDE 2000 has the ability to install multiple copies (instances) of SQL Server on a
single machine and have it appear that these instances are completely separate database servers. The first instance by
default use the standard SQL Server session port TCP/ 1433 and the other instances are allocated their own port
numbers dynamically. The SQL Server Resolution Service (SSRS), which operates on UDP port 1434, provides a way
for clients to query for the appropriate network endpoints to use for a particular SQL Server instance. The SSRS in
SQL Server 2000 and MSDE 2000 is vulnerable to a remotely exploitable stack overflow. If the client sends a packet
with first byte value 0x04 followed by a string, SQL Server copies the string in between
"HKLM\Software\Microsoft\Microsoft SQL Server\" and "\MSSQLServer\CurrentVersion" and by making use of this
registry value it will respond to the client with current version of the SQL Server. For example, by sending
\x04\x41\x41\x41\x41 (0x04 followed by 4 upper case 'A's) SQL Server attempts to open
"HKLM\Software\Microsoft\Microsoft SQL Server\AAAA\MSSQLServer\CurrentVersion". SSRS appends this string
without any length check and therefore a large string can overflow the buffer. By sending a specially-crafted request to
UDP port 1434 with the first byte set to 0x04, a remote attacker could overflow a buffer and cause the SQL Server
service to crash or execute arbitrary code on the system with the same privileges as the SQL Server. Slammer worm
makes use of this vulnerability to propagate. Apply the patch for this vulnerability, as listed in Microsoft Security
Bulletin MS02-039.
Signature ID: 30016
VERITAS NetBackup Volume Manager Daemon Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-3116 Bugtraq: 15353
Signature Description: VERITAS NetBackup is a backup and recovery software solution. The general format of
exchanged messages consists of a message that indicates the data length in big-endian format, followed by the data. A
buffer overflow vulnerability exists in a shared library used by Volume Manager Daemon of NetBackup versions 5.0
and 5.1. The buffer overflow occurs due to improper bounds checking of user input. A remote attacker who can
successfully exploit this vulnerability can gain access to the affected library and possibly execute arbitrary code with
elevated privileges. To protect from this attack close the port 13701 for external users. This signature detects when an
attacker try to send large amount of data rather then specified length of data.
Signature ID: 30017
Ipswitch IMail Web Calendaring Server Directory Traversal Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1252
Bugtraq: 13727
Signature Description: Ipswitch Collaboration Suite (ICS) is a comprehensive communication and collaboration
solution for Microsoft Windows. The ICS includes a web calendaring module that listens on TCP port 8484 by default.
IMail Server version 8.13 and possibly other versions could allow a remote attacker to obtain sensitive information
caused by a vulnerability in the handling of requests for nonexistent JavaScript files. A remote, unauthenticated
attacker could request a nonexistent JavaScript file followed by a question mark and multiple sequences of (..\) then the
path to a file on the system to view arbitrary files on the system.
Signature ID: 30018
Ipswitch Whatsup Small Business Server Directory Traversal Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-1939
Bugtraq: 15291
Signature Description: Ipswitch WhatsUp Small Business 2004 is a program used to map and monitor small networks.
This application runs a HTTP server that operates on TCP port 8022 to access utilities and reports from any web
browser. Whatsup Small Business 2004 is vulnerable to traverse directories. A remote attacker could send a specially-
crafted URL request containing "dot dot" sequences (/../) or (\..\) to traverse directories and view arbitrary files on the
Web server.