TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
833
request to the SpntSvc.exe service on TCP port 5168, a remote attacker could overflow a buffer and execute arbitrary
code on the vulnerable system with SYSTEM privileges. This vulnerability is fixed. Apply the patch for this
vulnerability(Security Patch 4 - Build 1185), available from the Trend Micro Web site. This signature specifically
detects if an attacker could send malicious pattern along with UUID.
Signature ID: 34752
Trend Micro ServerProtect Spntsvc.exe DCE/RPC multiple buffer overflow Exploit
Threat Level: Severe
Industry ID: CVE-2007-4218 Bugtraq: 25395
Signature Description: ServerProtect Agent service 5.58 Build 1176 is vulnerable to stack based buffer overflow. This
vulnerability is due to improper bounds checking by the SetSvcImpersonateUser function. By sending a malicious RPC
request to the SpntSvc.exe service on TCP port 5168, a remote attacker could overflow a buffer and execute arbitrary
code on the vulnerable system with SYSTEM privileges. This vulnerability is fixed. Apply the patch for this
vulnerability(Security Patch 4 - Build 1185), available from the Trend Micro Web site. This signature detects if an
attacker try to exploit ServerProtect Agent service vulnerability.
Signature ID: 34753
Trend Micro ServerProtect Spntsvc.exe DCE/RPC multiple buffer overflow Exploit
Threat Level: Severe
Industry ID: CVE-2007-4218 Bugtraq: 25395
Signature Description: RPC call _SetSvcImpersonateUser used by Spntsvc.exe executable of Trend Micro
ServerProtect application is vulnerable to buffer overflow exploit. The call takes input without proper boundary checks
on the user supplied input. This rule hits when track state "DCE_bind_TrendMicro_ServerProtect" is in the active state,
and the specified pattern found.
Signature ID: 34754
Trend Micro ServerProtect Spntsvc.exe DCE/RPC multiple buffer overflow Exploit
Threat Level: Severe
Industry ID: CVE-2007-4218 Bugtraq: 25395
Signature Description: ServerProtect Agent service 5.58 Build 1176 is vulnerable to stack based buffer overflow. This
vulnerability is due to improper bounds checking by the SetSvcImpersonateUser function. By sending a malicious RPC
request to the SpntSvc.exe service on TCP port 5168, a remote attacker could overflow a buffer and execute arbitrary
code on the vulnerable system with SYSTEM privileges. This vulnerability is fixed. Apply the patch for this
vulnerability(Security Patch 4 - Build 1185), available from the Trend Micro Web site. This signature specifically
detects if an attacker could send malicious pattern in little endian form.
Signature ID: 34755
Trend Micro ServerProtect Spntsvc.exe DCE/RPC multiple buffer overflow Exploit
Threat Level: Severe
Industry ID: CVE-2007-4218
Bugtraq: 25395
Signature Description: RPC call _SetSvcImpersonateUser used by Spntsvc.exe executable of Trend Micro
ServerProtect application is vulnerable to buffer overflow exploit. The call takes input without proper boundary checks
on the user supplied input. This rule hits when the track state "DCE_bind_TrendMicro_ServerProtect" is in the active
state, and the specified sequence of attack pattern found in the RPC Packet flowing towards 5168 Destination port.
Signature ID: 34756
ActiveX detection in HTTP response
Threat Level: Information
Signature Description: ActiveX is a component object model developed by Microsoft for Windows platforms. By