TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
757
caused by a canonicalization vulnerability. The web.config file prevents access to files unless a user is properly
authenticated. A remote attacker could use Mozilla and send a specially-crafted URL request containing a backslash (\)
or use Microsoft Internet Explorer to send a request containing a URL encoded backslash (%5C) to bypass this
authentication method and gain unauthorized access to the restricted resource. An attacker can send a HTTP GET
request with a specially crafted URL that contains a backslash instead of a forward slash to gain access to the requested
resource without having to authenticate.
Signature ID: 32782
Microsoft .NET Framework Buffer Overflow vulnerability
Threat Level: Severe
Industry ID: CVE-2007-0041
Bugtraq: 24778
Signature Description: A remote code execution vulnerability exists in .NET Framework that could allow an attacker
who successfully exploited this vulnerability to make changes to the system with the permissions of the logged-on user.
An attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to
convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
After they click the link, they would be prompted to perform several actions. An attack could only occur after they
performed these actions. Exploit attempts of this vulnerability are detected using a combination of two signatures. This
is the second signature and generates a log message.
Signature ID: 32785
HTTP MS Office MSODataSourceControl ActiveX Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2007-3282 Bugtraq: 24462
Signature Description: Microsoft Office MSODataSourceControl ActiveX Control is prone to a buffer-overflow
vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently
sized buffer. This issue occurs when an excessive amount of data is passed to the DeleteRecordSourceIfUnused()
method of the MSODataSourceControl ActiveX control. The successful exploitation may allow an attacker to overflow
a buffer and execute arbitrary code on the system or cause the victim's browser to crash. Set a kill bit for the ActiveX
control with CLSID 0002E55B-0000-0000-C000-000000000046.
Signature ID: 32798
CA eTrust Intrusion Detection Caller.CallCode Code Execution
Threat Level: Severe
Industry ID: CVE-2007-3302
Bugtraq: 25050
Signature Description: Computer Associates eTrust Intrusion Detection is a network intrusion management and
prevention system, that includes real-time session monitoring and Internet web filtering capabilities. eTrust Intrusion
Detection is vulnerable to remote code execution via Caller.dll ActiveX Control. While installation it registers the
ActiveX Control Caller.dll with clsid 41266C21-18D8-414B-88C0-8DCA6C25CEA0 as safe for scripting but this
ActiveX Control contains some scriptable functions which allow web pages to load arbitrary DLLs and call their
exports. A remote attacker could exploit this vulnerability by convincing a victim to visit a specially-crafted Web page.
Refer to CA SupportConnect document for patch information or possible workarounds. This signature detects attacks
using PROGID.
Signature ID: 32808
Microsoft Internet Explorer Speech API ActiveX Control FindEngine Method Buffer Overflow
Vulnerability
Threat Level: Severe
Industry ID: CVE-CVE-2007-2222 Bugtraq: 24426