TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
871
installation, configuration, and notification of new devices. For example, when a new mouse is installed on the system,
PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the
new mouse. Microsoft Windows Plug and Play is prone to a buffer overflow vulnerability. The vulnerability
specifically exists in the two undocumented methods PNP_QueryResConfList (opnum 0x36) and
PNP_DetectResourceConflict (opnum 0x35). By constructing a malicious DCE RPC packet for one of these methods,
and sending it over either on port 139 or 445 to an affected system can overflow the buffer and execute arbitrary code
or obtain elevated privileges on the system. On Windows 2000, an anonymous attacker could remotely try to exploit
this vulnerability. On Windows XP Service Pack 1, only an authenticated user could remotely try to exploit this
vulnerability. On Window XP Service Pack 2 and Windows Server 2003, only an administrator can remotely access the
affected component. Administrators are advised to patch the system as specified in MS05-039 bulletin. Exploit
attempts of this vulnerability are detected using a combination of nine signatures. This is the eigth signature and
generates a log message. This signature checks for Little endian 'PNP_DetectResourceConflict' pnp operation request
on port 445.
Signature ID: 35031
Microsoft Windows Plug and Play Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1983 Bugtraq: 14513
Signature Description: The Plug and Play service is a Windows DCE-RPC service that is designed to handle device
installation, configuration, and notification of new devices. For example, when a new mouse is installed on the system,
PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the
new mouse. Microsoft Windows Plug and Play is prone to a buffer overflow vulnerability. The vulnerability
specifically exists in the two undocumented methods PNP_QueryResConfList (opnum 0x36) and
PNP_DetectResourceConflict (opnum 0x35). By constructing a malicious DCE RPC packet for one of these methods,
and sending it over either on port 139 or 445 to an affected system can overflow the buffer and execute arbitrary code
or obtain elevated privileges on the system. On Windows 2000, an anonymous attacker could remotely try to exploit
this vulnerability. On Windows XP Service Pack 1, only an authenticated user could remotely try to exploit this
vulnerability. On Window XP Service Pack 2 and Windows Server 2003, only an administrator can remotely access the
affected component. Administrators are advised to patch the system as specified in MS05-039 bulletin. Exploit
attempts of this vulnerability are detected using a combination of nine signatures. This is the ninth signature and
generates a log message. This signature checks for Big endian 'PNP_DetectResourceConflict' pnp operation request on
port 445.
Signature ID: 35033
Microsoft Windows Print Spooler Service Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1984
Bugtraq: 14514
Signature Description: The Print Spooler service spoolsv.exe in Microsoft Windows manages the printing process,
which includes such tasks as retrieving the location of the correct printer driver, loading that driver, spooling high-level
function calls into a print job, and scheduling print jobs. A remotely exploitable buffer overflow vulnerability exists in
the Spooler service. By constructing a malicious DCE RPC packet for RpcAddPrinterEx method (opnum 0x46), and
sending it over either on port 139 to an affected system can overflow the buffer and execute arbitrary code or obtain
elevated privileges on the system. On Windows XP SP1 and Windows 2000 versions, the attacker does not require any
authentication and can exploit the vulnerability from remote. However, on Windows XP SP2 and Windows Server
2003, authentication is required before an attacker can send the request. Administrators are advised to update the
operating system by installing the patches mentioned in MS05-043 bulletin.