Update #3035 (02/08/2018)
2 new signatures:
HIGH | HTTP:PROXY:SQUID-ESI-RESP-DOS | HTTP: Squid Proxy ESI Response Denial of Service |
HIGH | HTTP:MISC:EMC-AUTH-BYPASS | HTTP: EMC Data Protection Advisor Application Service Static Credentials Authentication Bypass |
27 updated signatures:
INFO | HTTP:INFO-LEAK:HTTP-SHARE-ENUM | HTTP: SMB Share Enumeration |
MEDIUM | HTTP:IIS:WEBDAV:XML-HANDLER-DOS | HTTP: Microsoft WebDAV XML Message Handler Denial of Service |
LOW | HTTP:PHP:SILENT-STORM-ADMIN | HTTP: Silent Storm Portal Privilege Escalation |
CRITICAL | SMB:OF:TAPI-SVC-OF | SMB: Microsoft TAPI Service Overflow |
MEDIUM | HTTP:PHP:COOLPHP-DIRTRAV | HTTP: CoolPHP "op" Parameter Directory Traversal |
HIGH | HTTP:PHP:BLACKBOARD-INC | HTTP: BlackBoard Remote PHP Code Inclusion |
HIGH | HTTP:PHP:ALEXPHP-INCLUDE | HTTP: AlexPHP Remote File Inclusion |
HIGH | MS-RPC:OF:LOC-SVC-1 | MS-RPC: DCE-RPC Windows RPC Locator Service Overflow (1) |
HIGH | HTTP:STC:ADOBE:PDF-UUEXEC | HTTP: Adobe Acrobat Reader uudecode() File Execution |
MEDIUM | HTTP:3COM:LOG-CLEAN | HTTP: 3Com 3crwe754g72-a Unauthorized Log Clearance |
HIGH | HTTP:STC:MPG123-STEREO-OF | HTTP: mpg123 Remote Stereo Boundary Buffer Overflow |
INFO | P2P:BITTORRENT:TRACKER-SCRAPE | P2P: BitTorrent Tracker Scrape |
HIGH | HTTP:IIS:MFC-EXT-OF | HTTP: IIS MFC ISAPI Framework Overflow (via ext.dll) |
HIGH | HTTP:PHP:PHPBB:HIGHLIGHT-EXEC | HTTP: phpBB Search Highlighting Arbitrary Command Execution |
MEDIUM | HTTP:HOTMAIL:EXE-DOWNLOAD | HTTP: MSN Hotmail Executable File Extension Download |
MEDIUM | HTTP:PHP:PHPROJEKT-INC | HTTP: PHProjekt "path_pre" Parameter Remote File Include |
MEDIUM | HTTP:XSS:SHAREPOINT-XSS | HTTP: Microsoft Windows Sharepoint Services Cross-Site-Scripting |
MEDIUM | HTTP:CGI:IKONBOARD-BADCOOKIE | HTTP: Ikonboard Illegal Cookie Language |
CRITICAL | MS-RPC:LSASS:MAL-OPCODE | MS-RPC: LSASS Malicious OpCode |
HIGH | HTTP:STC:IE:CVE-2017-11810-MC | HTTP: Microsoft Internet Explorer CVE-2017-11810 Memory Corruption |
HIGH | SMB:NETDDE-SHARE-OF | SMB: NetDDE Long Share Name Buffer Overflow |
LOW | HTTP:PHP:PHPBB:PM-SQL-USER | HTTP: phpBB Private Message Parameter SQL Injection |
HIGH | WORM:BERBEW:KEYLOGGER-UPLOAD | WORM: Berbew Keylogger Upload |
HIGH | HTTP:STC:CLSID:ACTIVEX:VML-AX | HTTP: VMLRender ActiveX |
HIGH | WORM:MIMAIL:MIMAIL.A | WORM: Mimail.A Attachment |
HIGH | MS-RPC:OF:MSG-QUEUE-1 | MS-RPC: Microsoft Message Queue Manager Heap Overflow (1) |
HIGH | HTTP:STC:DL:AVISOFT-DTV-PLF-BO | HTTP: Aviosoft Digital TV Player PLF File Buffer Overflow |
Details of the signatures included within this bulletin:
SMB:NETDDE-SHARE-OF - SMB: NetDDE Long Share Name Buffer Overflow
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability against the share name resource in Windows Network Dynamic Data Exchange connections. All Microsoft Windows platforms that support NetDDE are vulnerable. Attackers can send a crafted NetDDE request to overflow a buffer in the Windows DDE service and execute arbitrary code.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Microsoft windows_xp_professional
- Microsoft windows_nt 4.0 SP6a
- Microsoft windows_2000_datacenter_server
- Microsoft windows_2000_professional SP3
- Microsoft windows_2000_server SP3
- Microsoft windows_2000_advanced_server SP3
- Microsoft windows_xp_home
- Microsoft windows_2000_datacenter_server SP3
- Microsoft windows_2000_datacenter_server SP2
- Microsoft windows_xp_64-bit_edition SP1
- Microsoft windows_2000_datacenter_server SP1
- Avaya s3400_message_application_server
- Avaya s8100_media_servers
- Avaya definityone_media_servers
- Avaya ip600_media_servers
- Microsoft windows_nt 4.0 SP6
- Microsoft windows_2000_professional SP4
- Microsoft windows_nt_server 4.0
- Microsoft windows_nt_enterprise_server 4.0
- Microsoft windows_2000_professional
- Microsoft windows_2000_server
- Microsoft windows_2000_professional SP1
- Microsoft windows_2000_advanced_server SP1
- Microsoft windows_nt 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP1
- Microsoft windows_2000_advanced_server SP4
- Avaya modular_messaging_(mss) 1.1.0
- Avaya modular_messaging_(mss) 2.0.0
- Microsoft windows_2000_server SP4
- Microsoft windows_2000_advanced_server SP2
- Microsoft windows_nt 4.0 SP1
- Microsoft windows_nt 4.0 SP5
- Microsoft windows_nt 4.0 SP3
- Microsoft windows_nt 4.0 SP4
- Microsoft windows_xp_64-bit_edition_version_2003
- Microsoft windows_xp_media_center_edition
- Microsoft windows_nt_server 4.0 SP1
- Microsoft windows_2000_server SP2
- Microsoft windows_2000_server SP1
- Microsoft windows_nt_enterprise_server 4.0 SP2
- Microsoft windows_server_2003_standard_edition
- Microsoft windows_2000_advanced_server
- Microsoft windows_nt_terminal_server 4.0 SP3
- Microsoft windows_xp_64-bit_edition
- Microsoft windows_nt 4.0 alpha
- Microsoft windows_nt_enterprise_server 4.0 SP1
- Microsoft windows_xp_home SP1
- Microsoft windows_xp_professional SP1
- Microsoft windows_nt_enterprise_server 4.0 SP4
- Microsoft windows_nt 4.0 SP6 alpha
- Microsoft windows_nt_enterprise_server 4.0 SP5
- Microsoft windows_nt_enterprise_server 4.0 SP3
- Microsoft windows_nt_enterprise_server 4.0 SP6a
- Microsoft windows_nt_terminal_server 4.0
- Microsoft windows_nt_server 4.0 SP2
- Microsoft windows_nt_server 4.0 SP3
- Microsoft windows_nt_server 4.0 SP4
- Microsoft windows_nt_server 4.0 SP5
- Microsoft windows_nt_server 4.0 SP6
- Microsoft windows_2000_datacenter_server SP4
- Microsoft windows_nt_enterprise_server 4.0 SP6
- Microsoft windows_nt_terminal_server 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP4
- Microsoft windows_2000_professional SP2
- Microsoft windows_nt_terminal_server 4.0 SP6
- Microsoft windows_nt_terminal_server 4.0 SP6a
- Microsoft windows_nt 4.0
- Microsoft windows_nt_server 4.0 SP6a
- Microsoft windows_server_2003_enterprise_edition
- Microsoft windows_server_2003_datacenter_edition
- Microsoft windows_server_2003_web_edition
- Microsoft windows_server_2003_enterprise_edition_itanium
- Microsoft windows_server_2003_datacenter_edition_itanium
- Microsoft windows_nt 4.0 SP1 alpha
- Microsoft windows_nt 4.0 SP2 alpha
- Microsoft windows_nt 4.0 SP3 alpha
- Microsoft windows_nt 4.0 SP4 alpha
- Microsoft windows_nt 4.0 SP5 alpha
- Microsoft windows_xp_64-bit_edition_version_2003 SP1
- Microsoft windows_nt 4.0 SP6a alpha
- Microsoft windows_nt_terminal_server 4.0 alpha
- Microsoft windows_nt_terminal_server 4.0 SP5
- Microsoft windows_xp_media_center_edition SP1
Severity: INFO
Description:
This signature detects attempts to enumerate SMB shares through HTTP.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Microsoft windows_xp_professional
- Microsoft windows_xp_home
- Microsoft windows_2000_datacenter_server
- Microsoft windows_2000_professional SP3
- Microsoft windows_2000_server SP3
- Microsoft windows_2000_advanced_server SP3
- Microsoft windows_2000_terminal_services SP3
- Microsoft windows_2000_datacenter_server SP3
- Microsoft windows_xp_64-bit_edition SP1
- Microsoft windows_2000_datacenter_server SP1
- Microsoft windows_nt_server 4.0
- Microsoft windows_nt_enterprise_server 4.0
- Microsoft windows_2000_professional
- Microsoft windows_2000_terminal_services
- Microsoft windows_2000_server SP1
- Microsoft windows_2000_advanced_server
- Microsoft windows_2000_advanced_server SP1
- Microsoft windows_2000_advanced_server SP2
- Microsoft windows_2000_datacenter_server SP2
- Microsoft windows_2000_server_japanese_edition
- Microsoft windows_2000_server SP2
- Microsoft windows_2000_server
- Microsoft windows_xp_home SP1
- Microsoft windows_2000_professional SP1
- Microsoft windows_xp_professional SP1
- Microsoft windows_xp_64-bit_edition
- Microsoft windows_nt_enterprise_server 4.0 SP1
- Microsoft windows_2000_terminal_services SP1
- Microsoft windows_2000_terminal_services SP2
- Microsoft windows_nt_enterprise_server 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP3
- Microsoft windows_nt_enterprise_server 4.0 SP4
- Microsoft windows_nt_enterprise_server 4.0 SP3
- Microsoft windows_nt_enterprise_server 4.0 SP5
- Microsoft windows_nt_enterprise_server 4.0 SP6
- Microsoft windows_nt_enterprise_server 4.0 SP6a
- Microsoft windows_nt_server 4.0 SP1
- Microsoft windows_nt_server 4.0 SP2
- Microsoft windows_nt_server 4.0 SP3
- Microsoft windows_nt_server 4.0 SP4
- Microsoft windows_nt_server 4.0 SP5
- Microsoft windows_nt_server 4.0 SP6
- Microsoft windows_nt_server 4.0 SP6a
- Microsoft windows_nt_terminal_server 4.0 SP1
- Microsoft windows_nt_terminal_server 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP4
- Microsoft windows_2000_professional SP2
- Microsoft windows_nt_terminal_server 4.0 SP6
- Microsoft windows_nt_terminal_server 4.0 SP6a
- Microsoft windows_nt_workstation 4.0 SP1
- Microsoft windows_nt_workstation 4.0 SP2
- Microsoft windows_nt_workstation 4.0 SP3
- Microsoft windows_nt_workstation 4.0 SP4
- Microsoft windows_nt_workstation 4.0 SP5
- Microsoft windows_nt_workstation 4.0 SP6
- Microsoft windows_nt_workstation 4.0 SP6a
- Microsoft windows_nt_workstation 4.0
- Microsoft windows_nt_terminal_server 4.0
- Microsoft windows_nt_terminal_server 4.0 SP5
HTTP:IIS:WEBDAV:XML-HANDLER-DOS - HTTP: Microsoft WebDAV XML Message Handler Denial of Service
Severity: MEDIUM
Description:
This signature detects denial-of-service (DoS) attempts against the WebDAV XML Message Handler in Microsoft IIS. Attackers can send a malicious HTTP request to a WebDAV enabled IIS server to cause it to consume all system resources. A machine reboot is required to resume service.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Microsoft windows_xp_professional
- Microsoft windows_xp_home
- Microsoft windows_2000_server
- Microsoft windows_2000_datacenter_server
- Microsoft windows_2000_professional SP3
- Microsoft windows_2000_server SP3
- Microsoft windows_2000_advanced_server SP3
- Microsoft windows_xp_64-bit_edition
- Microsoft windows_2000_datacenter_server SP3
- Microsoft windows_xp_64-bit_edition SP1
- Avaya definityone_media_servers R10
- Microsoft windows_2000_datacenter_server SP1
- Avaya ip600_media_servers R10
- Avaya s3400_message_application_server
- Avaya s8100_media_servers
- Avaya s8100_media_servers R11
- Avaya definityone_media_servers R11
- Avaya ip600_media_servers R11
- Microsoft windows_2000_professional
- Microsoft windows_2000_advanced_server
- Microsoft windows_2000_advanced_server SP1
- Microsoft windows_2000_advanced_server SP4
- Microsoft windows_2000_datacenter_server SP4
- Microsoft windows_2000_professional SP4
- Microsoft windows_2000_server SP4
- Microsoft iis 5.0
- Microsoft windows_xp_64-bit_edition_version_2003
- Microsoft windows_2000_server SP1
- Microsoft windows_server_2003_standard_edition
- Microsoft iis 5.1
- Microsoft windows_2000_professional SP1
- Microsoft windows_xp_64-bit_edition_version_2003 SP1
- Microsoft windows_xp_home SP1
- Microsoft windows_xp_professional SP1
- Microsoft windows_server_2003_enterprise_edition_itanium
- Microsoft windows_2000_server SP2
- Avaya modular_messaging_(mss) 1.1.0
- Microsoft windows_2000_advanced_server SP2
- Microsoft windows_2000_datacenter_server SP2
- Microsoft windows_2000_professional SP2
- Avaya modular_messaging_(mss) 2.0.0
- Avaya s8100_media_servers R10
- Microsoft windows_server_2003_enterprise_edition
- Microsoft windows_server_2003_datacenter_edition
- Microsoft windows_server_2003_web_edition
- Avaya definityone_media_servers
- Microsoft windows_server_2003_datacenter_edition_itanium
- Avaya ip600_media_servers
- Microsoft iis 6.0
Severity: LOW
Description:
This signature detects attempts to raise the privileges on an account for the Silent Storm PHP Portal.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Silent-storm silent-storm_portal 2.1.0
SMB:OF:TAPI-SVC-OF - SMB: Microsoft TAPI Service Overflow
Severity: CRITICAL
Description:
This signature detects attempts to exploit a known vulnerability in Microsoft's TAPI Service. A remote code execution vulnerability exists in Telephony Application Programming Interface (TAPI) that can allow an attacker, who successfully exploited this vulnerability, to take complete control of the affected system.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Microsoft windows_xp_professional
- Microsoft windows_xp_home
- Microsoft windows_nt 4.0 SP1
- Microsoft windows_nt 4.0 SP2
- Microsoft windows_nt 4.0 SP3
- Microsoft windows_nt 4.0 SP4
- Microsoft windows_nt_enterprise_server 4.0 SP1
- Microsoft windows_nt_enterprise_server 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP3
- Microsoft windows_nt_enterprise_server 4.0 SP4
- Microsoft windows_nt_enterprise_server 4.0 SP3
- Microsoft windows_nt_enterprise_server 4.0 SP5
- Microsoft windows_nt_enterprise_server 4.0 SP6
- Microsoft windows_nt_enterprise_server 4.0 SP6a
- Microsoft windows_nt_server 4.0 SP1
- Microsoft windows_nt_server 4.0 SP2
- Microsoft windows_nt_server 4.0 SP3
- Microsoft windows_nt_server 4.0 SP4
- Microsoft windows_nt_server 4.0 SP5
- Microsoft windows_nt_server 4.0 SP6
- Microsoft windows_nt_server 4.0 SP6a
- Microsoft windows_nt_terminal_server 4.0 SP1
- Microsoft windows_nt_terminal_server 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP4
- Microsoft windows_nt_terminal_server 4.0 SP5
- Microsoft windows_nt_terminal_server 4.0 SP6
- Microsoft windows_nt_terminal_server 4.0 SP6a
- Microsoft windows_nt_workstation 4.0 SP1
- Microsoft windows_nt_workstation 4.0 SP2
- Microsoft windows_nt_workstation 4.0 SP3
- Microsoft windows_nt_workstation 4.0 SP4
- Microsoft windows_nt_workstation 4.0 SP5
- Microsoft windows_nt_workstation 4.0 SP6
- Microsoft windows_nt_workstation 4.0 SP6a
- Microsoft windows_nt_workstation 4.0
- Microsoft windows_xp_tablet_pc_edition SP1
- Microsoft windows_nt_server 4.0
- Microsoft windows_nt_enterprise_server 4.0
- Microsoft windows_2000_professional
- Microsoft windows_2000_server SP1
- Microsoft windows_2000_professional SP1
- Microsoft windows_2000_advanced_server SP1
- Microsoft windows_nt 4.0 SP5
- Microsoft windows_xp_64-bit_edition_version_2003
- Microsoft windows_xp_media_center_edition
- Microsoft windows_xp_tablet_pc_edition
- Microsoft windows_xp_64-bit_edition
- Microsoft windows_xp_home SP1
- Microsoft windows_xp_professional SP1
- Microsoft windows_nt_terminal_server 4.0
- Microsoft windows_server_2003_datacenter_edition_itanium SP1
- Microsoft windows_server_2003_enterprise_edition_itanium SP1
- Microsoft windows_server_2003_enterprise_edition SP1
- Microsoft windows_server_2003_standard_edition SP1
- Microsoft windows_server_2003_web_edition SP1
- Microsoft windows_server_2003_enterprise_edition
- Microsoft windows_server_2003_datacenter_edition
- Microsoft windows_server_2003_web_edition
- Microsoft windows_server_2003_enterprise_edition_itanium
- Microsoft windows_server_2003_datacenter_edition_itanium
- Microsoft windows_server_2003_datacenter_edition SP1
- Microsoft windows_xp_64-bit_edition_version_2003 SP1
- Microsoft windows_nt 4.0 SP6a
- Microsoft windows_2000_professional SP3
- Microsoft windows_2000_server SP3
- Microsoft windows_2000_advanced_server SP3
- Microsoft windows_2000_datacenter_server SP3
- Microsoft windows_xp_64-bit_edition SP1
- Microsoft windows_2000_datacenter_server SP1
- Microsoft windows_xp_tablet_pc_edition SP2
- Microsoft windows_2000_server
- Microsoft windows_2000_advanced_server
- Microsoft windows_2000_advanced_server SP4
- Microsoft windows_2000_datacenter_server SP4
- Microsoft windows_2000_professional SP4
- Microsoft windows_2000_server SP4
- Microsoft windows_nt 4.0
- Microsoft windows_xp_home SP2
- Microsoft windows_xp_professional SP2
- Microsoft windows_xp_media_center_edition SP1
- Microsoft windows_xp_media_center_edition SP2
- Microsoft windows_2000_datacenter_server
- Microsoft windows_nt 4.0 SP6
- Microsoft windows_2000_server_japanese_edition
- Microsoft windows_server_2003_standard_edition
- Microsoft windows_server_2003_standard_x64_edition
- Microsoft windows_server_2003_enterprise_x64_edition
- Microsoft windows_server_2003_datacenter_x64_edition
- Microsoft windows_xp_professional_x64_edition
- Microsoft windows_2000_advanced_server SP2
- Microsoft windows_2000_datacenter_server SP2
- Microsoft windows_2000_professional SP2
- Microsoft windows_2000_server SP2
HTTP:PHP:COOLPHP-DIRTRAV - HTTP: CoolPHP "op" Parameter Directory Traversal
Severity: MEDIUM
Description:
This signature detects directory traversal attempts against CoolPHP. Attackers can use this exploit to execute arbitrary scripts on the PHP server.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Coolphp web_portal 1.0.0 -stable
Severity: HIGH
Description:
This signature detects attempts to exploit a vulnerability in the admin.inc.php script that shipped as part of the BlackBoard suite. Attackers can force the admin.inc.php script to include and execute PHP code from a remote source.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Blackboard blackboard_internet_newsboard_system 1.5.1
Severity: HIGH
Description:
This signature detects attempts to exploit a remote file inclusion vulnerability in AlexPHP. Attackers can send a maliciously crafted HTTP request to execute PHP code from a remote server on the host running AlexPHP.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Severity: MEDIUM
Description:
This signature detects attempts to exploit a known vulnerability in IkonBoard, a popular Web-based discussion board. Attackers can send a maliciously crafted cookie that contains illegal characters to IkonBoard to execute arbitrary code with IkonBoard priveleges (typically user level).
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Ikonboard.com ikonboard 3.1.1
- Ikonboard.com ikonboard 3.1.2 a
HTTP:PHP:PHPROJEKT-INC - HTTP: PHProjekt "path_pre" Parameter Remote File Include
Severity: MEDIUM
Description:
This signature detects attempts to exploit a vulnerability in the authform.inc.php script included in the PHProjekt package. Attackers can supply a remote location in the "path_pre" input parameter to force the target to download and execute arbitrary PHP code from the remote location.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
HTTP:STC:ADOBE:PDF-UUEXEC - HTTP: Adobe Acrobat Reader uudecode() File Execution
Severity: HIGH
Description:
This signature detects a maliciously crafted PDF file downloaded through HTTP. Attackers can insert certain shell metacharacters at the beginning of a uuencoded PDF file to force Adobe Acrobat to execute arbitrary commands upon loading the file.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Client, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Adobe reader 5.0.6
- Adobe reader 5.0.0
- Suse linux_personal 9.1.0
- Suse linux_personal 9.0.0 X86 64
- Adobe acrobat_reader_(unix) 5.0.0
- Adobe acrobat_reader_(unix) 5.0.0 6
- Adobe reader 5.0.5
- Adobe acrobat_reader_(unix) 5.0.0 5
- Suse linux_personal 9.0.0
HTTP:STC:MPG123-STEREO-OF - HTTP: mpg123 Remote Stereo Boundary Buffer Overflow
Severity: HIGH
Description:
This signature detects the download of a maliciously crafted MPEG Audio file. If attackers can cause a host to read such a file using MPG123, they can execute arbitrary code on the target host.
Supported On:
isg-3.5.141652, DI-Base, DI-Client, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-5.1.110161014, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Mpg123 mpg123 0.59.0 s
- Mandriva linux_mandrake 10.0.0
- Mpg123 mpg123 0.59.0 r
- Mandriva corporate_server 2.1.0
- Mandriva linux_mandrake 10.0.0 amd64
- Mandriva linux_mandrake 9.2.0
- Mandriva linux_mandrake 9.2.0 amd64
- Mandriva corporate_server 2.1.0 X86 64
HTTP:PHP:PHPBB:PM-SQL-USER - HTTP: phpBB Private Message Parameter SQL Injection
Severity: LOW
Description:
This signature detects attempts to inject SQL code into a request to phpBB, a popular open-source bulletin board application written in php. Attackers can send a maliciously crafted request that supplies SQL commands to the pm_sql_user parameter, changing database values and escalating client privileges.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Francisco_burzi php-nuke 7.0.0 FINAL
- Francisco_burzi php-nuke 6.5.0 RC1
- Francisco_burzi php-nuke 6.5.0 RC3
- Francisco_burzi php-nuke 6.5.0
- Phpbb_group phpbb 2.0.6
- Phpbb_group phpbb 2.0.4
- Francisco_burzi php-nuke 7.0.0
- Pnphpbb pnphpbb 1.2.0 f
- Francisco_burzi php-nuke 6.9.0
- Phpbb_group phpbb 2.0.7
- Phpbb_group phpbb 2.0.3
- Phpbb_group phpbb 2.0.6 d
- Phpbb_group phpbb 2.0.0 .0
- Phpbb_group phpbb 2.0.1
- Phpbb_group phpbb 2.0.5
- Francisco_burzi php-nuke 6.7.0
- Phpbb_group phpbb 2.0.2
- Francisco_burzi php-nuke 6.5.0 RC2
- Phpbb_group phpbb 2.0.7 a
- Phpbb_group phpbb 2.0.8
- Phpbb_group phpbb 2.0.0 RC4
- Phpbb_group phpbb 2.0.0 RC3
- Phpbb_group phpbb 2.0.0 RC2
- Phpbb_group phpbb 2.0.0 RC1
- Phpbb_group phpbb 2.0.0 Beta 1
- Francisco_burzi php-nuke 6.5.0 FINAL
- Francisco_burzi php-nuke 7.1.0
- Pnphpbb pnphpbb 1.2.0 g
- Pnphpbb pnphpbb 1.2.0
- Phpbb_group phpbb 2.0.6 c
- Francisco_burzi php-nuke 6.5.0 BETA 1
- Francisco_burzi php-nuke 6.6.0
- Francisco_burzi php-nuke 6.0.0
Severity: HIGH
Description:
This signature detects the Berbew worm as it uploads keylogger information to a listening post. Berbew monitors user keystrokes for financial data and then reports that information to an attacker, via HTTP, to a listening post. Source IP addresses that trigger this signature are extremely likely to be infected with the Berbew worm.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Severity: INFO
Description:
This signature detects "scrape" requests to a BitTorrent tracker Web site. Users can be querying the tracker to look for files to download.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1
References:
HTTP:IIS:MFC-EXT-OF - HTTP: IIS MFC ISAPI Framework Overflow (via ext.dll)
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability against Microsoft IIS. A maliciously crafted HTTP request can exploit a buffer overflow condition in mfc42.dll by way of ext.dll. Attackers can gain local access to an IIS server.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Working_resources_inc. badblue_personal_edition 1.7.3
- Microsoft foundation_class_library 7.0
- Working_resources_inc. badblue_enterprise_edition 1.7.3
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability in Microsoft Internet Explorer. Attackers can create malicious Web pages containing dangerous Class ID, which if accessed by a victim, allows the attacker to gain control of the victim's client browser.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Microsoft windows_xp_professional
- Microsoft windows_xp_home
- Microsoft internet_explorer 5.0.1
- Avaya s8100_media_servers
- Microsoft windows_server_2003_x64 SP2
- Nortel_networks centrex_ip_element_manager 8.0.0
- Nortel_networks centrex_ip_element_manager 7.0.0
- Nortel_networks contact_center-tapi_server
- Nortel_networks contact_center_manager_server
- Microsoft internet_explorer 5.0.1 SP2
- Nortel_networks contact_center_express
- Microsoft internet_explorer 7.0 Beta3
- Microsoft internet_explorer 7.0
- Microsoft windows_server_2003_web_edition SP2
- Microsoft windows_server_2003_itanium SP2
- Microsoft windows_server_2003_datacenter_x64_edition SP2
- Microsoft windows_server_2003_enterprise_x64_edition SP2
- Microsoft windows_server_2003_standard_edition SP2
- Microsoft internet_explorer 5.0.1 SP3
- Hp storage_management_appliance 2.1
- Microsoft windows_2000_professional
- Avaya messaging_application_server
- Microsoft windows_2000_server SP1
- Microsoft windows_2000_professional SP1
- Microsoft windows_2000_advanced_server SP1
- Microsoft internet_explorer 5.0.1 SP4
- Microsoft internet_explorer 6.0 SP1
- Microsoft windows_xp_media_center_edition
- Microsoft windows_xp_tablet_pc_edition
- Microsoft windows_2000_server
- Avaya s8100_media_servers R7
- Microsoft windows_xp_home SP1
- Microsoft windows_xp_professional SP1
- Microsoft windows_server_2003_datacenter_edition SP1
- Microsoft windows_server_2003_datacenter_edition_itanium SP1
- Microsoft windows_server_2003_enterprise_edition_itanium SP1
- Microsoft windows_server_2003_enterprise_edition SP1
- Microsoft windows_server_2003_standard_edition SP1
- Microsoft windows_server_2003_web_edition SP1
- Nortel_networks contact_center_administration
- Microsoft windows_server_2003_enterprise_edition
- Microsoft windows_server_2003_datacenter_edition
- Microsoft windows_server_2003_web_edition
- Microsoft windows_server_2003_enterprise_edition_itanium
- Microsoft windows_server_2003_datacenter_edition_itanium
- Microsoft windows_xp_tablet_pc_edition SP1
- Microsoft internet_explorer 5.0.1 SP1
- Microsoft windows_2000_professional SP3
- Microsoft windows_2000_server SP3
- Microsoft windows_2000_advanced_server SP3
- Microsoft windows_2000_datacenter_server SP3
- Microsoft windows_2000_datacenter_server SP1
- Avaya s8100_media_servers R10
- Avaya s8100_media_servers R12
- Avaya s8100_media_servers R11
- Microsoft windows_xp_tablet_pc_edition SP2
- Avaya s8100_media_servers R9
- Avaya s8100_media_servers R8
- Microsoft windows_2000_advanced_server
- Avaya s8100_media_servers R6
- Microsoft windows_2000_advanced_server SP4
- Microsoft windows_2000_datacenter_server SP4
- Microsoft windows_2000_professional SP4
- Microsoft windows_2000_server SP4
- Nortel_networks callpilot 703T
- Nortel_networks callpilot 702T
- Nortel_networks callpilot 201I
- Nortel_networks callpilot 200I
- Nortel_networks contact_center
- Nortel_networks centrex_ip_element_manager 9.0.0
- Microsoft internet_explorer 7.0 Beta2
- Microsoft windows_server_2003 SP2
- Microsoft internet_explorer 7.0 Beta1
- Microsoft windows_xp_home SP2
- Microsoft windows_xp_professional SP2
- Microsoft windows_xp_media_center_edition SP1
- Microsoft windows_xp_media_center_edition SP2
- Microsoft internet_explorer 6.0
- Microsoft windows_2000_datacenter_server
- Nortel_networks symposium_agent
- Nortel_networks callpilot 1002Rp
- Microsoft windows_server_2003_standard_edition
- Microsoft windows_server_2003_standard_x64_edition
- Microsoft windows_server_2003_enterprise_x64_edition
- Microsoft windows_server_2003_datacenter_x64_edition
- Microsoft windows_xp_professional_x64_edition
- Microsoft windows_2000_advanced_server SP2
- Microsoft windows_2000_datacenter_server SP2
- Microsoft windows_2000_professional SP2
- Microsoft windows_2000_server SP2
- Microsoft windows_xp
HTTP:PHP:PHPBB:HIGHLIGHT-EXEC - HTTP: phpBB Search Highlighting Arbitrary Command Execution
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability in phpBB. Attackers can send a malformed HTTP request to phpBB to force phpBB to execute arbitrary PHP commands on the server with Web server permissions.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Phpbb_group phpbb 2.0.9
- Phpbb_group phpbb 1.4.0 .0
- Phpbb_group phpbb 1.4.1
- Phpbb_group phpbb 1.0.0 .0
- Phpbb_group phpbb 1.2.0 .0
- Phpbb_group phpbb 1.2.1
- Phpbb_group phpbb 2.0.6
- Phpbb_group phpbb 2.0.4
- Phpbb_group phpbb 2.0.6 c
- Phpbb_group phpbb 2.0.15
- Phpbb_group phpbb 2.0.7
- Phpbb_group phpbb 2.0.3
- Phpbb_group phpbb 2.0.6 d
- Phpbb_group phpbb 2.0.0 .0
- Phpbb_group phpbb 2.0.1
- Phpbb_group phpbb 2.0.5
- Phpbb_group phpbb 2.0.13
- Phpbb_group phpbb 2.0.2
- Phpbb_group phpbb 2.0.7 a
- Phpbb_group phpbb 2.0.10
- Phpbb_group phpbb 2.0.8
- Phpbb_group phpbb 1.4.4
- Phpbb_group phpbb 2.0.0 RC4
- Phpbb_group phpbb 2.0.0 RC3
- Phpbb_group phpbb 2.0.0 RC2
- Phpbb_group phpbb 2.0.0 RC1
- Phpbb_group phpbb 2.0.0 Beta 1
- Phpbb_group phpbb 2.0.8 a
- Pnphpbb pnphpbb 1.2.0 f
- Pnphpbb pnphpbb 1.2.0 g
- Pnphpbb pnphpbb 1.2.0
- Gentoo linux
- Phpbb_group phpbb 1.4.2
- Phpbb_group phpbb 2.0.14
- Phpbb_group phpbb 2.0.12
Severity: HIGH
Description:
This signature detects the Mimail.A worm attachment in SMTP traffic. After infecting a Windows-based host, Mimail collects the host's e-mail addresses and sends itself as an attachment to these addresses using its own SMTP engine; thereby spreading itself over the Internet.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1
References:
HTTP:HOTMAIL:EXE-DOWNLOAD - HTTP: MSN Hotmail Executable File Extension Download
Severity: MEDIUM
Description:
This signature detects attempts by users to download potentially hazardous attachments from MSN Hotmail. MSN Hotmail is a web-based email application that allows users to send and receive emails with attachments. This may be a violation of your organization's Acceptable Use Policy.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability in Squid Proxy. Successful exploitation could result in denial-of-service conditions on the target service.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1
MS-RPC:OF:LOC-SVC-1 - MS-RPC: DCE-RPC Windows RPC Locator Service Overflow (1)
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability in the Windows DCE RPC Locator service. By default, this service is on in all Windows NT 4 and Windows 2000 Domain Controllers, or can be turned on manually in all Windows NT, 2000, and XP systems. Attackers can deny the locator service, causing network-wide outages, or they can take control and run arbitrary code.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Server, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1
References:
Affected Products:
- Microsoft windows_xp_professional
- Microsoft windows_xp_home
- Microsoft windows_2000_datacenter_server
- Microsoft windows_2000_professional SP3
- Microsoft windows_2000_server SP3
- Microsoft windows_2000_advanced_server SP3
- Microsoft windows_2000_terminal_services SP3
- Microsoft windows_2000_datacenter_server SP3
- Microsoft windows_xp_64-bit_edition SP1
- Microsoft windows_2000_datacenter_server SP1
- Microsoft windows_nt_server 4.0
- Microsoft windows_nt_enterprise_server 4.0
- Microsoft windows_2000_professional
- Microsoft windows_2000_terminal_services
- Microsoft windows_2000_server SP1
- Microsoft windows_2000_advanced_server
- Microsoft windows_2000_advanced_server SP1
- Microsoft windows_2000_advanced_server SP2
- Microsoft windows_2000_datacenter_server SP2
- Microsoft windows_2000_server_japanese_edition
- Microsoft windows_2000_server SP2
- Microsoft windows_2000_server
- Microsoft windows_xp_home SP1
- Microsoft windows_2000_professional SP1
- Microsoft windows_xp_professional SP1
- Microsoft windows_xp_64-bit_edition
- Microsoft windows_nt_enterprise_server 4.0 SP1
- Microsoft windows_2000_terminal_services SP1
- Microsoft windows_2000_terminal_services SP2
- Microsoft windows_nt_enterprise_server 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP3
- Microsoft windows_nt_enterprise_server 4.0 SP4
- Microsoft windows_nt_enterprise_server 4.0 SP3
- Microsoft windows_nt_enterprise_server 4.0 SP5
- Microsoft windows_nt_enterprise_server 4.0 SP6
- Microsoft windows_nt_enterprise_server 4.0 SP6a
- Microsoft windows_nt_server 4.0 SP1
- Microsoft windows_nt_server 4.0 SP2
- Microsoft windows_nt_server 4.0 SP3
- Microsoft windows_nt_server 4.0 SP4
- Microsoft windows_nt_server 4.0 SP5
- Microsoft windows_nt_server 4.0 SP6
- Microsoft windows_nt_server 4.0 SP6a
- Microsoft windows_nt_terminal_server 4.0 SP1
- Microsoft windows_nt_terminal_server 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP4
- Microsoft windows_2000_professional SP2
- Microsoft windows_nt_terminal_server 4.0 SP6
- Microsoft windows_nt_terminal_server 4.0 SP6a
- Microsoft windows_nt_workstation 4.0 SP1
- Microsoft windows_nt_workstation 4.0 SP2
- Microsoft windows_nt_workstation 4.0 SP3
- Microsoft windows_nt_workstation 4.0 SP4
- Microsoft windows_nt_workstation 4.0 SP5
- Microsoft windows_nt_workstation 4.0 SP6
- Microsoft windows_nt_workstation 4.0 SP6a
- Microsoft windows_nt_workstation 4.0
- Microsoft windows_nt_terminal_server 4.0
- Microsoft windows_nt_terminal_server 4.0 SP5
HTTP:MISC:EMC-AUTH-BYPASS - HTTP: EMC Data Protection Advisor Application Service Static Credentials Authentication Bypass
Severity: HIGH
Description:
A static credentials authentication bypass vulnerability has been reported in the EMC Data Protection Advisor Application service. Successful exploitation would allow the attacker to authenticate to the target server as an administrative user.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1
References:
MS-RPC:OF:MSG-QUEUE-1 - MS-RPC: Microsoft Message Queue Manager Heap Overflow (1)
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability against Microsoft Windows 2000 Message Queue Manager. Attackers can send a specially-crafted queue registration request to overflow a buffer and execute arbitrary code on the system with Local System privileges.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Client, idp-4.1.110110719, idp-4.0.0, mx-11.4, DI-Base, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, idp-5.1.110170603, isg-3.1.135801, idp-5.0.0, isg-3.5.0, idp-4.0.110090831, isg-3.4.139899, j-series-9.5, srx-12.1, srx-branch-12.1, idp-4.2.110100823, idp-5.0.110130325, idp-4.0.110090709, isg-3.4.140032, idp-4.2.110101203, vsrx-12.1, idp-5.1.0, isg-3.0.0, idp-5.0.110121210, isg-3.1.134269, vsrx-15.1, idp-4.1.110110609, isg-3.4.0
References:
HTTP:XSS:SHAREPOINT-XSS - HTTP: Microsoft Windows Sharepoint Services Cross-Site-Scripting
Severity: MEDIUM
Description:
This signature detects attempts to exploit a known vulnerability against Microsoft SharePoint Services and Office. Attacker can attempt to use cross-site-scripting using GET/POST HTTP messages to locally or remotely attack a target.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Microsoft windows_sharepoint_services_windows_server_2003 SP1
- Microsoft sharepoint_team_services_from_microsoft
- Microsoft windows_sharepoint_services_windows_server_2003
HTTP:3COM:LOG-CLEAN - HTTP: 3Com 3crwe754g72-a Unauthorized Log Clearance
Severity: MEDIUM
Description:
This signature detects attempts to cause a 3Com 3crwe754g72-a based device to clear its logs. Attackers can use spoofed IP address to send a log clear request without authenticating.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References:
Severity: CRITICAL
Description:
This signature detects attempts to exploit a known vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). A successful attack allows attackers to remotely run arbitrary code on the target system. Note: This vulnerability is exploited by many worms.
Supported On:
isg-3.5.141652, idp-5.1.110161014, DI-Server, DI-Worm, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, isg-3.0.0, idp-5.1.110170603, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, DI-Base, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, srx-17.4, isg-3.1.134269, vsrx-15.1
References:
Affected Products:
- Microsoft windows_xp_professional
- Microsoft windows_xp_home
- Microsoft windows_2000_datacenter_server
- Microsoft windows_2000_professional SP3
- Microsoft windows_2000_server SP3
- Microsoft windows_2000_advanced_server SP3
- Microsoft windows_2000_datacenter_server SP3
- Microsoft windows_xp_64-bit_edition SP1
- Microsoft windows_2000_datacenter_server SP1
- Avaya s3400_message_application_server
- Avaya s8100_media_servers
- Avaya definityone_media_servers
- Avaya ip600_media_servers
- Microsoft windows_2000_professional
- Microsoft windows_2000_server
- Microsoft windows_2000_advanced_server
- Microsoft windows_2000_advanced_server SP1
- Microsoft windows_2000_advanced_server SP4
- Microsoft windows_2000_datacenter_server SP4
- Microsoft windows_2000_professional SP4
- Microsoft windows_2000_server SP4
- Microsoft windows_xp_64-bit_edition_version_2003
- Microsoft windows_2000_server SP1
- Microsoft windows_server_2003_standard_edition
- Microsoft windows_2000_professional SP1
- Microsoft windows_xp_64-bit_edition
- Microsoft windows_xp_home SP1
- Microsoft windows_xp_professional SP1
- Microsoft windows_2000_advanced_server SP2
- Microsoft windows_2000_datacenter_server SP2
- Microsoft windows_2000_professional SP2
- Microsoft windows_2000_server SP2
- Microsoft windows_server_2003_enterprise_edition
- Microsoft windows_server_2003_datacenter_edition
- Microsoft windows_server_2003_web_edition
- Microsoft windows_server_2003_enterprise_edition_itanium
- Microsoft windows_server_2003_datacenter_edition_itanium
- Microsoft windows_xp_64-bit_edition_version_2003 SP1
HTTP:STC:IE:CVE-2017-11810-MC - HTTP: Microsoft Internet Explorer CVE-2017-11810 Memory Corruption
Severity: HIGH
Description:
This signature detects an attempt to exploit a known vulnerability against Microsoft Internet Explorer. Successful exploitation of this issue may grant an attacker remote code execution.
Supported On:
isg-3.5.141652, idp-5.1.110161014, idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, isg-3.5.141818, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, idp-5.0.0, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, idp-5.1.110170603, vsrx-15.1
References:
Affected Products:
- Microsoft internet_explorer 9
- Microsoft internet_explorer 10
- Microsoft internet_explorer 11
Severity: HIGH
Description:
This signature detects attempts to exploit a known vulnerability in Avisoft Digital TV Player. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the affected server.
Supported On:
isg-3.5.141652, DI-Base, DI-Server, idp-4.0.0, idp-4.0.110090709, idp-5.1.110161014, idp-4.1.0, mx-16.1, idp-4.2.0, srx-17.3, vmx-17.4, idp-5.0.0, vsrx-17.4, srx-branch-17.4, srx-17.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, j-series-9.5, idp-4.2.110100823, idp-4.2.110101203, idp-4.0.110090831, idp-5.1.0, idp-4.1.110110609, idp-4.1.110110719, mx-11.4, isg-3.5.141818, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, isg-3.0.0, idp-5.1.110170603, vsrx-15.1
References: