TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
869
Signature ID: 35025
Microsoft Windows Plug and Play Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1983
Bugtraq: 14513
Signature Description: The Plug and Play service is a Windows DCE-RPC service that is designed to handle device
installation, configuration, and notification of new devices. For example, when a new mouse is installed on the system,
PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the
new mouse. Microsoft Windows Plug and Play is prone to a buffer overflow vulnerability. The vulnerability
specifically exists in the two undocumented methods PNP_QueryResConfList (opnum 0x36) and
PNP_DetectResourceConflict (opnum 0x35). By constructing a malicious DCE RPC packet for one of these methods,
and sending it over either on port 139 or 445 to an affected system can overflow the buffer and execute arbitrary code
or obtain elevated privileges on the system. On Windows 2000, an anonymous attacker could remotely try to exploit
this vulnerability. On Windows XP Service Pack 1, only an authenticated user could remotely try to exploit this
vulnerability. On Window XP Service Pack 2 and Windows Server 2003, only an administrator can remotely access the
affected component. Administrators are advised to patch the system as specified in MS05-039 bulletin. Exploit
attempts of this vulnerability are detected using a combination of nine signatures. This is the third signature and
generates a log message. This signature checks for Big endian 'PNP_QueryResConfList' pnp operation request on port
139.
Signature ID: 35026
Microsoft Windows Plug and Play Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1983 Bugtraq: 14513
Signature Description: The Plug and Play service is a Windows DCE-RPC service that is designed to handle device
installation, configuration, and notification of new devices. For example, when a new mouse is installed on the system,
PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the
new mouse. Microsoft Windows Plug and Play is prone to a buffer overflow vulnerability. The vulnerability
specifically exists in the two undocumented methods PNP_QueryResConfList (opnum 0x36) and
PNP_DetectResourceConflict (opnum 0x35). By constructing a malicious DCE RPC packet for one of these methods,
and sending it over either on port 139 or 445 to an affected system can overflow the buffer and execute arbitrary code
or obtain elevated privileges on the system. On Windows 2000, an anonymous attacker could remotely try to exploit
this vulnerability. On Windows XP Service Pack 1, only an authenticated user could remotely try to exploit this
vulnerability. On Window XP Service Pack 2 and Windows Server 2003, only an administrator can remotely access the
affected component. Administrators are advised to patch the system as specified in MS05-039 bulletin. Exploit
attempts of this vulnerability are detected using a combination of nine signatures. This is the fourth signature and
generates a log message. This signature checks for Little endian 'PNP_QueryResConfList' pnp operation request on
port 445.
Signature ID: 35027
Microsoft Windows Plug and Play Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1983 Bugtraq: 14513
Signature Description: The Plug and Play service is a Windows DCE-RPC service that is designed to handle device
installation, configuration, and notification of new devices. For example, when a new mouse is installed on the system,
PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the
new mouse. Microsoft Windows Plug and Play is prone to a buffer overflow vulnerability. The vulnerability
specifically exists in the two undocumented methods PNP_QueryResConfList (opnum 0x36) and
PNP_DetectResourceConflict (opnum 0x35). By constructing a malicious DCE RPC packet for one of these methods,
and sending it over either on port 139 or 445 to an affected system can overflow the buffer and execute arbitrary code
or obtain elevated privileges on the system. On Windows 2000, an anonymous attacker could remotely try to exploit