TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
868
Signature ID: 35008
LEADTOOLS Multimedia 'LTMM15.DLL' ActiveX Control Arbitrary File Overwrite
Vulnerability
Threat Level: Severe
Industry ID: CVE-2008-1605 Bugtraq: 28442
Signature Description: LEAD Technologies is the supplier of imaging development SDKs. The LEADTOOLS family
of toolkits is designed to help programmers integrate color, grayscale, document, medical, multimedia, Internet and
vector imaging into their applications quickly. It has been chosen by Microsoft, Hewlett Packard, Intel, Boeing, Xerox,
Kodak, Ford Motor Companies. The LEADTOOLS Multimedia Toolkit 15 (ltmmCaptureCtrl Class, ltmmConvertCtrl
Class, and ltmmPlayCtrl Class) ActiveX controls (ltmm15.dll) could allow a remote attacker to overwrite arbitrary files
on the system. By persuading a victim to visit a malicious Web site, a remote or local attacker could exploit this
vulnerability using the SaveSettingsToFile() method to overwrite and corrupt arbitrary files on the system. No Remedy
is Available as of March 2008. Alternately user can set the kill bit for CLSID 00150B1A-B1BA-11CE-ABC6-
F5B2E79D9E3F. This signature detects traffic using vulnerable CLSID within client side script code.
Signature ID: 35009
LEADTOOLS Multimedia 'LTMM15.DLL' ActiveX Control Arbitrary File Overwrite
Vulnerability
Threat Level: Severe
Industry ID: CVE-2008-1605 Bugtraq: 28442
Signature Description: LEAD Technologies is the supplier of imaging development SDKs. The LEADTOOLS family
of toolkits is designed to help programmers integrate color, grayscale, document, medical, multimedia, Internet and
vector imaging into their applications quickly. It has been chosen by Microsoft, Hewlett Packard, Intel, Boeing, Xerox,
Kodak, Ford Motor Companies. The LEADTOOLS Multimedia Toolkit 15 (ltmmCaptureCtrl Class, ltmmConvertCtrl
Class, and ltmmPlayCtrl Class) ActiveX controls (ltmm15.dll) could allow a remote attacker to overwrite arbitrary files
on the system. By persuading a victim to visit a malicious Web site, a remote or local attacker could exploit this
vulnerability using the SaveSettingsToFile() method to overwrite and corrupt arbitrary files on the system. No Remedy
is Available as of March 2008. Alternately user can set the kill bit for CLSID 00150B1A-B1BA-11CE-ABC6-
F5B2E79D9E3F. This signature detects traffic using vulnerable PROGID within client side script code.
Signature ID: 35024
Microsoft Windows Plug and Play Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1983 Bugtraq: 14513
Signature Description: The Plug and Play service is a Windows DCE-RPC service that is designed to handle device
installation, configuration, and notification of new devices. For example, when a new mouse is installed on the system,
PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the
new mouse. Microsoft Windows Plug and Play is prone to a buffer overflow vulnerability. The vulnerability
specifically exists in the two undocumented methods PNP_QueryResConfList (opnum 0x36) and
PNP_DetectResourceConflict (opnum 0x35). By constructing a malicious DCE RPC packet for one of these methods,
and sending it over either on port 139 or 445 to an affected system can overflow the buffer and execute arbitrary code
or obtain elevated privileges on the system. On Windows 2000, an anonymous attacker could remotely try to exploit
this vulnerability. On Windows XP Service Pack 1, only an authenticated user could remotely try to exploit this
vulnerability. On Window XP Service Pack 2 and Windows Server 2003, only an administrator can remotely access the
affected component. Administrators are advised to patch the system as specified in MS05-039 bulletin. Exploit
attempts of this vulnerability are detected using a combination of second signatures. This is the second signature and
generates a log message. This signature checks for Little endian 'PNP_QueryResConfList' pnp operation request on
port 139.