TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
714
Signature ID: 30430
Microsoft Visual FoxPro FPOLE.OCX ActiveX Control FoxDoCmd Method Multiple
Vulnerabilities
Threat Level: Severe
Industry ID: CVE-2007-4790 CVE-2007-5322 Bugtraq: 25571,25977
Signature Description: Microsoft Visual FoxPro is Microsoft's integrated development environment for the FoxPro
programming language. Microsoft Visual FoxPro version 6.0 installs an ActiveX Control FPOLE.OCX which is
vulnerable to a stack based buffer overflow via FoxDoCmd method. Also another vulnerability exists in FPOLE.OCX
where command execution is possible via arguments to FoxDoCmd function. By persuading a victim to visit a
specially-crafted Web page, a remote attacker could exploit these vulnerabilities to inject and execute arbitrary shell
commands on the victim's system. No updates are available as of October 2007. Users can mitigate the impact of this
vulnerability by disabling the control via Microsoft's "kill bit" mechanism for CLSID EF28418F-FFB2-11D0-861A-
00A0C903A97F. This signature detects attacks using PROGID and mothod.
Signature ID: 30431
Microsoft Visual FoxPro FPOLE.OCX ActiveX Control Access Using Unicode
Threat Level: Severe
Industry ID: CVE-2007-4790 CVE-2007-5322 Bugtraq: 25571,25977
Signature Description: Microsoft Visual FoxPro is Microsoft's integrated development environment for the FoxPro
programming language. Microsoft Visual FoxPro version 6.0 installs an ActiveX Control FPOLE.OCX which is
vulnerable to a stack based buffer overflow via FoxDoCmd method. Also another vulnerability exists in FPOLE.OCX
where command execution is possible via arguments to FoxDoCmd function. By persuading a victim to visit a
specially-crafted Web page, a remote attacker could exploit these vulnerabilities to inject and execute arbitrary shell
commands on the victim's system. This rule gets hit when the CLSID is specified in a webpage via Unicode. No
updates are available as of October 2007. Users can mitigate the impact of this vulnerability by disabling the control via
Microsoft's "kill bit" mechanism for CLSID EF28418F-FFB2-11D0-861A-00A0C903A97F. This signature detects
attacks using CLSID in UTF encoding.
Signature ID: 30432
Microsoft Visual FoxPro FPOLE.OCX ActiveX Control Access Using Unicode
Threat Level: Severe
Industry ID: CVE-2007-4790
CVE-2007-5322 Bugtraq: 25571,25977
Signature Description: Microsoft Visual FoxPro is Microsoft's integrated development environment for the FoxPro
programming language. Microsoft Visual FoxPro version 6.0 installs an ActiveX Control FPOLE.OCX which is
vulnerable to a stack based buffer overflow via FoxDoCmd method. Also another vulnerability exists in FPOLE.OCX
where command execution is possible via arguments to FoxDoCmd function. By persuading a victim to visit a
specially-crafted Web page, a remote attacker could exploit these vulnerabilities to inject and execute arbitrary shell
commands on the victim's system. This rule gets hit when the CLSID is specified in a web page via Unicode. No
updates are available as of October 2007. Users can mitigate the impact of this vulnerability by disabling the control via
Microsoft's "kill bit" mechanism for CLSID EF28418F-FFB2-11D0-861A-00A0C903A97F. This signature detects
attacks using PROGID in UTF encoding.
Signature ID: 30433
Intuit QuickBooks Online Edition ActiveX Control httpGETToFile/httpPOSTFromFile Method
Access
Threat Level: Warning
Industry ID: CVE-2007-4471
CVE-2007-0322 Bugtraq: 25544
Signature Description: Intuit QuickBooks Online Edition is a version of Intuit's popular QuickBooks bookkeeping
application implemented as an ActiveX control that can be run within Microsoft Internet Explorer. The QuickBooks