TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
873
function to overwrite previously freed memory, as demonstrated using a SPNEGO token with a constructed bit string
during HTTP authentication. Microsoft Windows NT, Windows 2000, Windows XP, and Windows Server 2003 are
vulnerable to heap corruption in Microsoft's implementation of the Abstract Syntax Notation 1 (ASN.1) Library. Apply
the appropriate patch, available in Microsoft Security Bulletin MS04-007 for resolving the issue.
Signature ID: 35040
SMB Access from External Network
Threat Level: Warning
Industry ID: CVE-2005-1206 Bugtraq: 13942
Signature Description: Server Message Block is a protocol which allows sharing of files, printers, serial ports, and
other abstractions. The SMB protocol is supported on many platforms and architectures, including many Microsoft
products. The Microsoft Server Message Block implementation contains a flaw in incoming SMB packet validation
that may result in a buffer receiving inappropriate data. An attacker may send a specially-crafted packet to the
vulnerable host and be able to execute arbitrary code on the host after exploiting the incoming packet processing
flaw.The attacker-supplied code would be run in the context of Local System, resulting in a complete compromise of
the system. This signature detects on using the TCP port 445.
Signature ID: 35043
Microsoft Windows Printer Spooler Service Denial of Service Vulnerability
Threat Level: Warning
Industry ID: CVE-2006-6296 Bugtraq: 21401
Signature Description: The Microsoft Print Spooler service manages printing operations on a system. The Print Spooler
service fails to properly handle malformed RPC requests. This vulnerability can be triggered by sending a specially
crafted RPC request to a vulnerable system. A buffer overflow vulnerability exists in 'Spoolsv.exe'. A remote user can
send a specially crafted packet to the target service to trigger the buffer overflow and execute arbitrary code on the
target system. Windows 2000 SP4 and XP SP2 and prior service packs, 2003 are affected versions. This rule hits when
"Print Spooler" track state is active and the attack pattern found.
Signature ID: 35044
Microsoft Windows Printer Spooler Service Denial of Service Vulnerability
Threat Level: Warning
Industry ID: CVE-2006-6296
Bugtraq: 21401
Signature Description: The Microsoft Print Spooler service manages printing operations on a system. The Print Spooler
service fails to properly handle malformed RPC requests. This vulnerability can be triggered by sending a specially
crafted RPC request to a vulnerable system. A buffer overflow vulnerability exists in 'Spoolsv.exe'. A remote user can
send a specially crafted packet to the target service to trigger the buffer overflow and execute arbitrary code on the
target system. Windows 2000 SP4 and XP SP2 and prior service packs, 2003 are affected versions. This rule hits when
"Printer Spooler1" Track state is active and attack pattern found.
Signature ID: 35046
Microsoft Message Queueing Service DNS Name Path Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2007-3039
CVE-2008-3479 Bugtraq: 26797
Signature Description: The specific flaw exists in the RPC interface defined on port 2103 with UUID fdb3a030-065f-
11d1-bb9b-00a024ea5525. During the processing of opnum 0x06 and 0x12 the service copies user-supplied
information into a fixed length stack buffer. Sending at least 300 bytes will trigger a stack based buffer overflow due to
a vulnerable wcscat() call. Exploitation of this issue can result in arbitrary code execution. The Message Queuing
service (msmq) runs RPC services, listening on the ncacn_ip_tcp transport. By default, the msmq services opens 4 TCP
ports, including one or several of 2101/tcp, 2103/tcp, 2105/tcp and 2107/tcp.Microsoft Windows 2000 Server SP4,
Windows 2000 Professional SP4, and Windows XP SP2 are vulnerable. Exploit attempts of this vulnerability are