TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
694
Signature ID: 30346
HP-UX ldcconn Daemon Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2007-4241 Bugtraq: 25227
Signature Description: Cisco LocalDirector is a server load balancing appliance. Systems running HP-UX have HP
Controller for Cisco Local Director service also known as 'ldcconn' and can be used to interface with this appliance. By
default ldcconn listens on TCP port 17781. HP-UX 11.11i is vulnerable to a remote buffer overflow when a long string
is sent to the TCP port that ldcconn listens on. An attacker can exploit this issue to execute arbitrary code with
superuser privileges. Successful attacks will completely compromise affected computers. Vendor stated that affected
platform is no longer supported hence upgrade to a currently supported version of HP-UX. This rule may cause false
positives if ldcconn is not running on port 17781.
Signature ID: 30347
Microsoft XML Core Services XMLDOM/OLE Automation SubstringData Method Integer
Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2007-2223 CVE-2007-2224 Bugtraq: 25282,25301
Signature Description: Microsoft XML Core Services (MSXML) allows customers who use JScript, Visual Basic
Scripting Edition (VBScript), and Microsoft Visual Studio 6.0 to develop XML-based applications that provide
interoperability with other applications that adhere to the XML 1.0 standard. OLE Automation is an industry standard
that applications use to expose their OLE objects to development tools, macro languages, and other containers that
support OLE Automation. It is possible to execute arbitrary code via the parameters to substringData method on a
TextNode or XMLDOM object. substringData method takes two arguments, offset that specifies the offset from which
to start and count that specifies the number of characters to extract. If a large value is supplied for count parameter an
integer overflow occurs causing incorrect memory allocation. By convincing a user to view a specially crafted HTML
document, an attacker may be able to execute arbitrary code with the privileges of the user. Install the updates
mentioned in Microsoft Security Bulletin MS07-042 and MS07-043.
Signature ID: 30348
Microsoft Visual Basic 6 TBLinf32.DLL ActiveX Control Remote Code Execution Vulnerability
Threat Level: Severe
Industry ID: CVE-2007-2216
Bugtraq: 25289
Signature Description: The Microsoft Visual Basic 6 TypeLib Information Library (TLI) ActiveX control is prone to a
remote code-execution vulnerability. The TypeLib Information object library, implemented in TlbInf32.dll is a set of
COM objects designed to make type library browsing functionality easily accessible to both Visual Basic and C++
programmers. The TypeLibInfoFromFile() function will accept a DLL file as argument and allows retrieval of
information from the DLL. A remote attacker may supply a DLL filename which is malicious via webdav/SMB share
path. The attacker supplied DLL have a malicious DLLGetDocumentation function which gets executed when a request
for the HelpString property is made. Install the vendor supplied patch mentioned in MS07-045 or set the killbit for
CLSID 8B217746-717D-11CE-AB5B-D41203C10000. This signature detects when an attacker try to exploit this
activex control by using CLSID.
Signature ID: 30349
Microsoft Visual Basic 6 TBLinf32.DLL ActiveX Control Remote Code Execution Vulnerability
Threat Level: Severe
Industry ID: CVE-2007-2216
Bugtraq: 25289
Signature Description: The Microsoft Visual Basic 6 TypeLib Information Library (TLI) ActiveX control is prone to a
remote code-execution vulnerability. The TypeLib Information object library, implemented in TlbInf32.dll is a set of
COM objects designed to make type library browsing functionality easily accessible to both Visual Basic and C++