TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
884
remote users with two different authentication schemes. Type1 is without username and password, Type2 is with
username and password. In typical scenario after establishing tcp connection server sends it Protocol version to the
client. Client replies with its protocol, after this server sends allowed schemes as an array of bytes. If Server is running
on Type1 then server sends \x01\x01 as data to the client, client replies with \x01. If server is running on Type2 scheme
then server sends \x01\x02 to the client, in this case client should send \x02 to the server, an attacker can force the
client to send \x01 is SET, then server allows the client without password.
Signature ID: 35102
Microsoft Exchange vCal/iCal Messages Remote Code Execution Vulnerability
Threat Level: Warning
Industry ID: CVE-2006-0027
Bugtraq: 17908
Signature Description: This rule hits when users are exchanging icalender via http mail. EXCDO and CDOEX
functionality provided with Exchange server does not properly process certain iCAL and vCAL properties provided in
email messages. Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration Data Objects
(EXCDO) are interfaces that allow for certain types of information to be processed in the Exchange store. Virtual
Calendar (vCAL) is a MIME content type used by Microsoft Exchange Server and email clients when sending and
exchanging information related to calendars and scheduling. Internet Calendar (iCAL) is a MIME content type used by
Microsoft Exchange Server and email clients, when sending and exchanging information related to calendars and
scheduling. Remote Attackers can attempt to execute or can do Dos using iCal or vCal properties of Microsoft
Exchange Server. Users are advised to make sure that the received icalender via http email came from the original user
and it is not modified before opening the icalendar. Successful attacker can gain the full control on the affected system.
Signature ID: 35103
HTML Breaking or whitespace attack attempt
Threat Level: Severe
Industry ID: CVE-2008-2165 Bugtraq: 29025,29191
Signature Description: Whitespace attack is a signature evasion technique, html browsers or servers ignores
whitespaces in the html document. Html breaking injection is used to break the original html document for not to
display the remaining content in the clients browser. This Rule Hits when whitespace attack attempt found and for html
breaking attacks found.
Signature ID: 35104
Attribute value breaking or whitespace attack
Threat Level: Severe
Signature Description: Whitespace attack is a signature evasion technique, by putting white spaces in the attribute
value attackers can evade cross-site injection signatures. But browsers and web-servers ignore white spaces in the
attribute value. By this attempt attacker can bypass IPS/IDS signatures and gains admin access on the target system.
This Rule hits when attempt is made to evade cross-site injection signatures by putting white spaces in between the
attribute value.
Signature ID: 35105
Attribute value breaking attempt
Threat Level: Severe
Signature Description: Attackers can inject html code by passing symbols like slash with greater than(/ >) via attributes
causing html attribute value breaking. on success, An attacker can execute his own script (Cross site scripting) on the
vulnerable system.