TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
945
Signature Description: Symantec offers a suite of corporate and consumer security products including a firewall
application which includes SYMDNS.SYS driver, which is responsible for validating DNS and NBNS (NetBios Name
Service) responses. Symantec Norton Internet Security and Personal Firewall devices are vulnerable to denial of service
attack, caused by the improper validation of Domain Name System(DNS) response packets. This signature detects
when an attacker sending a specially-crafted DNS response packets from UDP port 500. The successful exploitation
may allow an attacker to crash the system or denial of service.
Signature ID: 35448
Microsoft Internet Explorer Malformed IFRAME Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-1050
Bugtraq: 11515
Signature Description: Microsoft Internet Explorer is a series of graphical web browsers developed by Microsoft.
Microsoft Internet Explorer 6 is a buffer overflow vulnerability. This signature detects when an attacker create
specially-crafted web page that contains an IFRAME tag with long values supplied to the SRC and NAME properties.
The successful exploitation may allow an attacker to crash the victim's Web browser or execute arbitrary code on the
victim's system. Apply the appropriate patch, which is available at vendor's web site.
Signature ID: 35449
Microsoft Windows Shell Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0420 Bugtraq: 9510
Signature Description: The Windows Shell application programming interface (API) supports the ability to associate a
class identifier (CLSID) with a file type. A CLSID as an extension instead of file extension is enough to launch the
application by Windows Shell similar to the case when file extension is used. The files that Internet Explorer is not able
to handle are asked to save to the local disk or open using a known application with the help of file extension
association using a dialog box. A vulnerability exists in Internet Explorer 6 because it is unable to save the file it cannot
handle with the file's real extension. This rule will trigger when an attacker could embed a class id(CLSID) in the file
name of malicious file to cause Internet Explorer to open the file with a different application than what the file type
specifies. Apply the appropriate patch MS04-024 is available from vendor's web site or set killbit to the clsid
corresponding to the progid value 'Scripting.FileSystemObject'.
Signature ID: 35450
Microsoft Windows LoadImage API Function Integer Overflow vulnerability
Threat Level: Warning
Industry ID: CVE-2004-1049
Bugtraq: 12095
Signature Description: The LoadImage API function is used to loads an icon, a cursor or a bitmap and then try to
proceed the image from a file on Microsoft Windows platforms. The LoadImage API is included part of the USER32
library. Microsoft Windows are vulnerable to an integer overflow in the LoadImage API of the USER32.lib library.
This signature detects when an attacker creating a specially-crafted BMP, CUR, ICO, or ANI file, once the file is
opened. An attacker could exploit this vulnerability by sending the malicious file to a victim as an email attachment or
HTML web page. The successful exploitation may allow an attacker to overflow a buffer and execute arbitrary code on
the system.
Signature ID: 35451
HP WEB JETADMIN
Threat Level: Warning
Industry ID: CVE-2004-1856
Bugtraq: 9971
Signature Description: HP JetAdmin software manages HP JetDirect-connected printers using a Web browser. HP
JetAdmin, version 7.5.2546, could allow a remote attacker to upload malicious files to the system. This rule will trigger
when an 'authenticated' user who was not the admin account on the Jet Admin service could use this