TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
675
commands with the privileges of the user. An attacker may also be able to perform other file system activities, such as
copying or deleting files.
Signature ID: 30099
Audio File Transfer by Chunked Transfer Encoding and gzip Content Encoding
Threat Level: Warning
Signature Description: Chunked Transfer Encoding is one way in which an http server may transmit data to a client
application. Usually this type of transmission is needed when the final size of the "file" that it is sending is unknown
initially. This rule triggers when an audio file is transmitted by Chunked transfer encoding and the content is encoded
by gzip encoded scheme. Attackers use this technique to evade IDS/IPS and send a malicious audio file that can exploit
one or more vulnerabilities.
Signature ID: 30100
NullSoft Winamp IN_CDDA.dll File Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-1150 Bugtraq: 12381
Signature Description: Winamp is a media player for Microsoft Windows developed by NullSoft. Winamp version
5.08 and earlier are vulnerable to a stack-based buffer overflow, caused by improper bounds checking of .cda files
within a .m3u or .pls playlist file. The vulnerability specifically exists in cdda.dll library where Winamp handles
CDDA entries contained in playlist files. This can be triggered by a URI of the format "cda://<overlong string>" in the
playlist file. By convincing a user to open a specially crafted playlist file, a remote unauthenticated attacker may be
able to execute arbitrary code. This can be achieved by creating a specially crafted web page or other HTML document
that may launch Winamp without any user interaction. Users are advised to install newer version of Winamp.
Signature ID: 30164
Automated Execution of Telnet Protocol Using IFRAME Tag
Threat Level: Warning
Signature Description: The 'iframe' tag is used to insert an inline frame into the body of an HTML document. If a
HTML page contains an iframe tag which tries to access telnet:// protocol then this gets executed when a user opens the
HTML page. Usually attackers use this technique to construct a malicious web document and automate exploiting some
vulnerabilities.
Signature ID: 30165
TWiki rev Parameter Shell Command Injection Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-2877 Bugtraq: 14834
Signature Description: TWiki is a web-based collaborative publishing environment. TWiki does not sanitize user-
controlled URI parameters supplied to the revision control function for malicious content. Specifically, the rev
parameter is not filtered for shell metacharacters before being used to construct a shell command. By sending a
specially crafted URI to a system running TWiki, a remote, unauthenticated attacker may be able to execute arbitrary
commands on that system. This signature detects non-encoding characters. TWiki has released a hotfix to address this
issue.
Signature ID: 30166
Trend Micro ServerProtect isaNVWRequest.dll/relay.dll Heap Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1929 CVE-2005-3964 CVE-2005-3977 Bugtraq: 15685,15686
Signature Description: Trend Micro ServerProtect is an enterprise-level antivirus application for servers. ServerProtect
for NT version 5.58, and possibly earlier versions, are vulnerable to a heap-based buffer overflow in the relay.dll and