Microsoft Vulnerabilities and Situations for 2006 in sgpkg-ips-318-4219

Vulnerabilities

MS06-078 HTTP-Microsoft-Windows-Media-Player-ASX-Playlist-Parsing-Buffer-Overflow

About this vulnerability: Microsoft Windows Media Player suffers buffer overflow in playlist parsing
Risk: Moderate
First detected in: sgpkg-ips-89-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000; Windows XP; Windows 2003
Software: Windows Media Player
Type: Buffer Overflow
Description: There is a buffer overflow in the way Microsoft Windows Media Player handles references to unregistered protocols in playlists.
Situation HTTP_Microsoft-Windows-Media-Player-ASX-Playlist-Parsing-Buffer-Overflow
Comment: Detects exploit attempts to playlist handling of Microsoft Windows Media Player.
Description: Detects attempts to exploit a buffer overflow vulnerability in Microsoft Windows Media Player. The vulnerability lies in the way how Windows Media Player handles unregistered protocol identifiers in playlists.
References:
CVE-2006-6134
BID-21247
MS06-078
Back to top

MS06-077 TFTP-Microsoft-RIS-TFTP-Service-Write-Access-Vulnerability

About this vulnerability: RIS TFTP Service allows anonymous remote write access by default
Risk: High
First detected in: sgpkg-ips-87-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Microsoft RIS TFTP Server
Type: Insecure Configuration
Description: There is a file overwrite vulnerability in the Microsoft Windows Remote Installation Service. The Remote Installation Service (RIS) includes a TFTP server that is configured by default to allow anonymous users to update and overwrite files. This vulnerability allows an attacker to compromise operating installs offered by the RIS server.
Situation TFTP_Microsoft-RIS-TFTP-Write-Access
Comment: TFTP System File Write Access
Description: A TFTP system file write attempt has been detected. The Microsoft Windows Remote Installation Service has a TFTP service that allows unauthenticated remote users to write and modify system files that are distributed via RIS to remote clients. This allows the remote attacker to compromise the client systems.
References:
CVE-2006-5584
BID-21495
MS06-077
Back to top

MS06-074 SNMP-Microsoft-SNMP-Service-Buffer-Overflow

About this vulnerability: Microsoft SNMP Service contains suffers buffer overflow
Risk: Moderate
First detected in: sgpkg-ips-87-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000; Windows XP; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: There is a remote code execution vulnerability in Microsoft SNMP service. The vulnarability is caused by the insufficient validation of certain certain parameters of the SNMP request.
Situation SNMP-UDP_Microsoft-SNMP-Service-Buffer-Overflow
Comment: Microsoft SNMP Service Buffer Overflow
Description: Detects attempts to exploit a buffer overflow in the Microsoft SNMP service.
Situation SNMP-UDP_GetBulkRequest-With-Nonzero-Nonrepeaters-And-Maxrepeaters-Values
Comment: Potential exploit against the Microsoft SNMP Service Buffer Overflow
Description: Detects getBulkRequest SNMP packets with non-zero non-repeaters and max-repeaters values. These values may also be present in normal traffic, but can be an attempt to exploit a buffer overflow in the Microsoft SNMP Service.
Situation SNMP-UDP_GetBulkRequest-With-Nonzero-Nonrepeaters-And-Large-Maxrepeaters-Value
Comment: Potential exploit against the Microsoft SNMP Service Buffer Overflow
Description: Detects getBulkRequest SNMP packets with a non-zero non-repeaters valua and an excessively large max-repeaters values. These packets can be used to cause a buffer overflow in the Microsoft SNMP Service.
References:
CVE-2006-5583
BID-21537
MS06-074
Back to top

MS06-073 HTTP-Microsoft-Visual-Studio-WMI-Object-Broker-ActiveX-Code-Execution

About this vulnerability: Access control vulnerability in Microsoft Visual Studio 2005
Risk: Moderate
First detected in: sgpkg-ips-84-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Microsoft Visual Studio 2005
Type: Malfunction
Description: There is an access control vulnerability in Microsoft Visual Studio 2005. The vulnerability can be exploited by persuading a target user to view a malicious HTML page. This allows non-privileged code execution.
Situation HTTP_Microsoft-Visual-Studio-WMI-Object-Broker-ActiveX-Control-Usage
Comment: Detects WMI Object Broker ActiveX Control usage that can be considered suspicious
Description: Detects WMI Object Broker ActiveX Control usage that can be considered suspicious. A remote attacker can persuade a target user to visit a crafted web page containing script code that calls the CreateObject function of the affected ActiveX Control. A successful exploitation allows code execution with the privileges of the currently logged in user.
References:
CVE-2006-4704
BID-20843
MS06-073
Back to top

MS06-071 HTTP-Microsoft-Xml-Core-Services-ActiveX-Control-Code-Exectution

About this vulnerability: A vulnerability in Microsoft XML Core Services allows code execution
Risk: Moderate
First detected in: sgpkg-ips-90-1314
Last changed: sgpkg-ips-273-4219
Platform: Generic
Software: Microsoft XML Core Services
Type: Malfunction
Description: There is a vulnerability in the Microsoft XML Core Services (XMLHTTP) ActiveX component. A malicious HTML page can be used to execute code in the context of the local user.
Situation HTTP_SS-Microsoft-Xml-Core-Services-ActiveX-Control-Code-Execution
Comment: An attempt to exploit vulnerability in Microsoft XML Core Services detected
Description: An attempt to exploit a vulnerability in the Microsoft XML Core Services (XMLHTTP) MHTML protocol handler of Microsoft Internet Explorer was detected. This can lead to code execution in the context of the local user.
References:
CVE-2006-5745
BID-20915
MS06-071
Back to top

MS06-071 Microsoft-XMLHTTP-ActiveX-Control-Code-Execution

About this vulnerability: Code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services
Risk: High
First detected in: sgpkg-ips-173-2032
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Microsoft XML Core Services
Type: Malfunction
Description: There is a code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services. A remote attacker can exploit the vulnerability by enticing a user to visit a malicious web page with a vulnerable version of the affected product installed to execute non-privileged arbitrary code on the user's system.
Situation HTTP_SS-Microsoft-XMLHTTP-ActiveX-Control-Code-Execution
Comment: Attempt to exploit a code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services detected
Description: An attempt to exploit a code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services was detected. A successful exploit allows remote attackers to execute non-privileged arbitrary code on the vulnerable system.
References:
CVE-2006-5745
BID-20915
MS06-071
Back to top

MS06-070 MSRPC-Workstation-Service-Buffer-Overflow-MS06-070

About this vulnerability: MSRPC Workstation Service Buffer Overflow MS06-070
Risk: High
First detected in: sgpkg-ips-84-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000; Windows XP
Software: <os>
Type: Buffer Overflow
Description: There is a remote code execution vulnerability in the Microsoft Windows Workstation service. The vulnerability is caused by the incorrect processing of long arguments in specially crafted RPC calls. A remote attacker may exploit this vulnerability to cause a denial of service condition or inject and execute arbitrary code on the vulnerable system within the security context of the affected service, which is normally System.
Situation MSRPC-TCP_CPS-Microsoft-Windows-Workstation-Service-BOF-MS06-070
Comment: Detected exploit on MS06-070
Description: An attempt to exploit a buffer overflow vulnerability (MS06-070) in the workstation service has been detected. A successful exploit allows the remote attacker to execute arbitrary code using system privileges.
References:
CVE-2006-4691
BID-20985
MS06-070
Back to top

MS06-069 Microsoft-Excel-Embedded-Shockwave-Flash-Object-Code-Execution

About this vulnerability: Flash based code execution vulnerability in Microsoft Excel
Risk: Moderate
First detected in: sgpkg-ips-71-1314
Last changed: sgpkg-ips-292-4219
Platform: Windows
Software: Microsoft Excel
Type: Malfunction
Description: Microsoft Excel has a Flash-based code execution vulnerability. The vulnerability can be exploited by persuading a user to open a specially crafted Excel file containing an embedded Shockwave Flash Object, leading to arbitrary script code execution.
Situation HTTP_Microsoft-Excel-Embedded-Flash-Object-JavaScript-Code-Execution
Comment: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file
Description: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file.
Situation E-Mail_BS-Microsoft-Excel-Embedded-Flash-Object-JavaScript-Code-Execution
Comment: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file
Description: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file.
References:
CVE-2006-3014
BID-18583
MS06-069
Back to top

MS06-067 HTTP-Internet-Explorer-Daxctle.ocx-KeyFrame-Method-Memory-Corruption

About this vulnerability: Memory corruption vulnerability in Internet Explorer
Risk: High
First detected in: sgpkg-ips-80-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer
Type: Malfunction
Description: There is a memory corruption vulnerability in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary non-privileged code execution on the victim's computer.
Situation HTTP_SS-Internet-Explorer-Daxctle.ocx-KeyFrame-Method-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. By delivering a crafted web page containing a KeyFrame function call with a malicious first argument to the target user who opens it with the affected browser, a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
References:
CVE-2006-4777
BID-19738
OSVDB-28842
MS06-067
Back to top

MS06-067 HTTP-Microsoft-Internet-Explorer-Daxctle.ocx-Spline-Method-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the handling of the Spline method in Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-79-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in the handling of the Spline method in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary non-privileged code execution on the victim's computer.
Situation HTTP_Microsoft-Internet-Explorer-Daxctle.ocx-Spline-Method-Buffer-Overflow
Comment: Detects buffer oveflow exploits against Internet Explorer
Description: Detects buffer oveflow exploits against Internet Explorer. By delivering a crafted web page containing a Spline function call with a malicious first argument to the target user who opens it with the affected browser a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
References:
CVE-2006-4446
BID-19738
OSVDB-28841
MS06-067
Back to top

MS06-067 HTTP-WinZip-FileView-ActiveX-Control-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in WinZip
Risk: High
First detected in: sgpkg-ips-85-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: WinZip
Type: Buffer Overflow
Description: WinZip has a stack-based buffer overflow vulnerability. A target user with a vulnerable version of the affected product can be persuaded to visit a malicious web page containing an excessively long value assigned to the FilePattern property of the FileView object. This leads to a DoS or code execution with the privileges of the currently logged in user.
Situation HTTP_WinZip-FileView-ActiveX-Control-Buffer-Overflow
Comment: Detects buffer overflow exploits against the WinZip FileView ActiveX control
Description: Detects buffer overflow exploits against the WinZip FileView ActiveX control. A successful exploitation causes a DoS terminating the vulnerable product or allows non-privileged code execution.
References:
CVE-2006-5198
BID-21060
OSVDB-30433
MS06-067
Back to top

MS06-066 MSRPC-Microsoft-Client-Service-For-NetWare-Memory-Corruption

About this vulnerability: Buffer overflow vulnerability in the Microsoft Client Service for NetWare
Risk: Critical
First detected in: sgpkg-ips-85-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: Microsoft Client Service for NetWare has a stack-based buffer overflow vulnerability. By sending a malformed RPC request to an affected system a remote attacker can cause a DoS or execute arbitrary code with the privileges of the vulnerable service, normally System.
Situation MSRPC-TCP_CPS-Microsoft-Client-Service-For-NetWare-Memory-Corruption
Comment: Buffer overflow exploit against the Microsoft Client Service for NetWare
Description: Detects buffer overflow exploits against the Microsoft Client Service for NetWare. A successful exploitation may lead to a DoS or a root/system level compromise.
References:
CVE-2006-4688
BID-20984
OSVDB-30260
MS06-066
Back to top

MS06-064 Windows_Xp_2003_Land_Attack_DoS

About this vulnerability: Windows XP and 2003 land attack Denial of Service
Risk: Low
First detected in: sgpkg-ips-253-3038
Last changed: sgpkg-ips-273-4219
Platform: Windows XP SP2; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: Windows XP SP2 and Windows 2003 suffer from a denial of service vulnerability when receiving spoofed SYN packets from their own address.
Situation DOS_LAND
Comment: Targa2 DoS: land attack
Description: Detected a Denial-of-Service attack from Targa2 attack set. Land attack send TCP SYN with source IP address set to the same address than target IP address. Because source IP address is spoofed to be the same as destination IP address, it is typically not possible to identify source of the attack from the log event. Risk analysis: Risk level is medium.
References:
CVE-2005-0688
MS06-064
MS05-019
Back to top

MS06-063 Microsoft-Windows-Server-Driver-Crafted-SMB-Packet-DoS

About this vulnerability: Denial of service vulnerability in the handling of crafted SMB packets in Microsoft Windows
Risk: Moderate
First detected in: sgpkg-ips-77-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000 SP4; Windows XP SP1; Windows XP SP2; Windows 2003 SP0; Windows 2003 SP1
Software: <os>
Type: Malfunction
Description: There is a denial of service vulnerability in the handling of crafted SMB packets in Microsoft Windows due to NULL pointer dereference error in the server driver.
Situation SMB-TCP_Microsoft-Windows-Server-Driver-Crafted-SMB-Packet-DoS
Comment: Detects denial of service exploits against Microsoft Windows via a crafted SMB packet
Description: Detects denial of service exploits against Microsoft Windows via a crafted SMB packet.
References:
CVE-2006-3942
BID-19215
OSVDB-27644
MS06-063
Back to top

MS06-063 Microsoft-Windows-Server-Service-SMB-Rename-Code-Execution

About this vulnerability: Detects remote code execution exploits against Microsoft Windows via a crafted SMB Rename request
Risk: Moderate
First detected in: sgpkg-ips-82-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000 SP4; Windows XP SP1; Windows XP SP2; Windows 2003; Windows 2003 SP1
Software: <os>
Type: Malfunction
Description: There is a remote code execution vulnerability in the handling of crafted SMB Rename requests in Microsoft Windows. By successfully exploiting this vulnerability, an authenticated remote attacker can cause a DoS or execute arbitrary code with SYSTEM privileges.
Situation SMB-TCP_CHS-Microsoft-Windows-Server-Service-SMB-Rename-Code-Execution
Comment: Detects remote code execution exploits against Microsoft Windows via a crafted SMB Rename request
Description: Detects remote code execution exploits against Microsoft Windows via a crafted SMB Rename request. A successful exploitation requires valid user credentials and leads to a DoS or a root/system-level compromise.
References:
CVE-2006-4696
BID-20373
MS06-063
Back to top

MS06-057 HTTP-Microsoft-Internet-Explorer-SetSlice-Method-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in Internet Explorer
Risk: High
First detected in: sgpkg-ips-81-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary non-privileged code execution on the victim's computer.
Situation HTTP_SS-Microsoft-Internet-Explorer-SetSlice-Method-Buffer-Overflow
Comment: Detects buffer overflow exploits against Internet Explorer
Description: Detects buffer overflow exploits against Internet Explorer. By persuading a target user to visit a crafted web page containing a setSlice method with a malformed first argument, a remote attacker can terminate the affected browser or execute arbitrary code in the security context of the currently logged in user.
References:
CVE-2006-3730
BID-19030
OSVDB-27110
MS06-057
Back to top

MS06-055 HTTP-Microsoft-Internet-Explorer-VML-Rect-Fill-Method-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in Internet Explorer
Risk: High
First detected in: sgpkg-ips-80-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary non-privileged code execution on the victim's computer.
Situation HTTP_Microsoft-Internet-Explorer-VML-Rect-Fill-Method-Buffer-Overflow
Comment: Detects buffer overflow exploits against Internet Explorer
Description: Detects buffer overflow exploits against Internet Explorer. By delivering a crafted web page containing an excessively long fill method inside a rect tag to the target user who opens it with the affected browser, a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
References:
CVE-2006-4868
BID-20096
OSVDB-28946
MS06-055
Back to top

MS06-050 Microsoft-Excel-Crafted-Url-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in Microsoft Excel
Risk: High
First detected in: sgpkg-ips-71-1314
Last changed: sgpkg-ips-292-4219
Platform: Windows
Software: Microsoft Excel
Type: Buffer Overflow
Description: Microsoft Excel has a buffer overflow vulnerability in the handling of excessively long strings in link objects. The vulnerability can be exploited by persuading a user to open a specially crafted Excel file and to follow a malicious link, causing a DoS condition terminating all instances of the Microsoft Excel application, and potentially leading to a loss of data or arbitrary code execution with the privileges of the currently logged in user.
Situation HTTP_Microsoft-Excel-Crafted-Url-Buffer-Overflow
Comment: Detects malicious Microsoft Excel files with a crafted HLINK record
Description: Detects malicious Microsoft Excel files with a crafted link object. When the target user opens the file and clicks a crafted link, non-privileged code execution may occur.
Situation E-Mail_BS-Microsoft-Excel-Crafted-Url-Buffer-Overflow
Comment: Detects malicious Microsoft Excel files with a crafted HLINK record
Description: Detects malicious Microsoft Excel files with a crafted link object. When the target user opens the file and clicks a crafted link, non-privileged code execution may occur.
References:
CVE-2006-3086
BID-18500
OSVDB-26666
MS06-050
Back to top

MS06-045 Windows-Explorer-HTA-CLSID-System-Compromise

About this vulnerability: Windows Explorer HTA CLSID system compromise vulnerability
Risk: Moderate
First detected in: sgpkg-ips-75-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000 SP4; Windows XP SP1; Windows XP SP2; Windows 2003
Software: <os>
Type: Directory Traversal
Description: Windows Explorer suffers from a vulnerability where script files can be executed without security restrictions. Files whose extension is a CLSID defined in Windows registry are recognized and executed with a specified program. In the case of HTA files with the CLSID {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} mshta.exe is executed. If the filename contains URI-encoded directory traversal sequences, mshta.exe will normalize it and open a file in a different directory without security restrictions. This allows remote attackers to execute arbitrary code by enticing users to open a malicious file with Windows Explorer, possibly over WebDAV or SMB shares.
Situation HTTP_Windows-Explorer-HTA-CLSID-System-Compromise
Comment: Detects attempts to exploit the Windows Explorer HTA vulnerability over WebDAV
Description: Detects directory traversal sequences and a CLSID associated with HTA applications from HTTP traffic. A successful exploit allows arbitrary remote code execution, but requires the user to view a malicious folder with Windows Explorer.
Situation SMB-TCP_Windows-Explorer-HTA-CLSID-System-Compromise
Comment: Detects attempts to exploit the Windows Explorer HTA vulnerability over SMB
Description: Detects directory traversal sequences and a CLSID associated with HTA applications from SMB traffic. A successful exploit allows arbitrary remote code execution, but requires the user to view a malicious folder with Windows Explorer.
References:
CVE-2006-3281
BID-19389
MS06-045
Back to top

MS06-044 HTTP-Microsoft-Management-Console-Cross-Site-Scripting

About this vulnerability: A vulnerability in Microsoft Management Console allows cross site scripting
Risk: High
First detected in: sgpkg-ips-91-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000 SP4
Software: <os>
Type: Cross-site Scripting
Description: There is a cross site scripting vulnerability in the Microsoft Windows, which allows Microsoft Management Console components to be referenced from a web page. This can be used to execute code in the local zone leading to system compromise.
Situation HTTP_Microsoft-Management-Console-Cross-Site-Scripting
Comment: An attempt to exploit vulnerability in the Microsoft Management Console detected
Description: An attempt to exploit a cross site scripting vulnerability in the Microsoft Management Console was detected. The Microsoft Management Console is included in Microsoft Windows.
References:
CVE-2006-3643
BID-19417
MS06-044
Back to top

MS06-043 HTTP-Microsoft-Internet-Explorer-MHTML-URI-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the handling of excessively long MHTML URI strings in Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-70-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer
Type: Buffer Overflow
Description: Internet Explorer has a buffer overflow vulnerability in the handling of excessively long MHTML URI strings. An exploitation of this vulnerability requires persuading a user running the vulnerable web browser to visit a crafted web page that contains an excessively long MHTML URI string as a link. When the malicious link is clicked by the target user, the vulnerability is triggered and the vulnerable browser terminated.
Situation HTTP_Microsoft-Internet-Explorer-MHTML-URI-Buffer-Overflow
Comment: Detects MHTML URI buffer overflow exploits against Internet Explorer
Description: Detects MHTML URI buffer overflow exploits against Internet Explorer. A successful exploitation leads to a termination of the vulnerable web browser.
References:
CVE-2006-2766
BID-18198
OSVDB-25949
MS06-043
Back to top

MS06-042 HTTP-Internet-Explorer-DirectAnimation.DATuple-Com-Object-Memory-Corruption

About this vulnerability: Memory corruption vulnerability in Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-79-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer
Type: Malfunction
Description: There is a memory corruption vulnerability in the handling of a reference to a certain COM object that is not an ActiveX component in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary code execution with the privileges of the currently logged in user.
Situation HTTP_Internet-Explorer-DirectAnimation.DATuple-Com-Object-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. Internet Explorer fails to correctly handle the initiation of a certain COM object that is not an ActiveX component. This allows an attacker to cause a DoS or execute arbitrary code with the privileges of the currently logged in user.
References:
CVE-2006-3638
BID-19340
OSVDB-27852
MS06-042
Back to top

MS06-040 MSRPC-Microsoft-Windows-Server-Service-Buffer-Overrun

About this vulnerability: Buffer overflow vulnerability in Microsoft Server service
Risk: Critical
First detected in: sgpkg-ips-75-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: Microsoft Server service has a buffer overflow vulnerability. By sending specially crafted packets to an affected system a remote attacker can cause a denial of service condition or take complete control of the system.
Situation MSRPC-TCP_CPS-Microsoft-Windows-Server-Service-Buffer-Overrun
Comment: Buffer overflow exploit against Microsoft Server Service
Description: Detects buffer overflow exploits against Microsoft Server service. A successful exploitation may lead to a DoS or a root/system level compromise.
Situation MSRPC-TCP_CPS-Vulnerable-Microsoft-Windows-Server-Service-Function-Called
Comment: Vulnerable Microsoft Windows Server service function called
Description: Detects calls to a vulnerable Microsoft Windows Server service function. The function call with a crafted parameter can be used to compromise a vulnerable system but the function is also used in normal traffic.
References:
CVE-2006-3439
BID-19409
MS06-040
Back to top

MS06-036 Microsoft-Windows-DHCP-Client-Service-Buffer-Overflow

About this vulnerability: A vulnerability in Microsoft Windows
Risk: High
First detected in: sgpkg-ips-140-2032
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000; Windows XP; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in the DHCP client component of Microsoft Windows. The flaw is caused by the improper processing of crafted DHCP response messages. A remote attacker may leverage this vulnerability by sending a crafted DHCP response to the affected service, resulting in the possible injection and execution of arbitrary code on the target system. Any injected code would be executed within the security context of the System user.
Situation Generic_UDP-Microsoft-Windows-DHCP-Client-Service-Buffer-Overflow
Comment: Detected an attempt to exploit vulnerability in Microsoft Windows' DHCP client
Description: An attempt to exploit a vulnerability in the DHCP client component of Microsoft Windows was detected.
References:
CVE-2006-2372
BID-18923
OSVDB-27151
MS06-036
Back to top

MS06-035 Microsoft-Windows-Mailslot-Heap-Overflow

About this vulnerability: Heap buffer overflow vulnerability in the Server driver of Microsoft Windows
Risk: Moderate
First detected in: sgpkg-ips-90-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000; Windows XP; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: There is a heap-based buffer overflow vulnerability in the Server driver of Microsoft Windows. A successful exploit against this vulnerability leads to a denial of service or arbitrary code execution with the privileges of the System kernel.
Situation SMB-TCP_CHS-First-Class-Mailslot-Traffic-Detected
Comment: First-class Mailslot message detected
Description: First-class Mailslot traffic detected. The first-class Mailslot protocol is not officially supported by the vendor. Its usage can be considered suspicious and may indicate a possible attempt to exploit a heap-based buffer overflow vulnerability in the Server driver of Microsoft Windows.
References:
CVE-2006-1314
BID-18863
OSVDB-27154
MS06-035
Back to top

MS06-034 Microsoft-IIS-Server-Crafted-Asp-Page-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the handling of crafted ASP pages in IIS
Risk: Moderate
First detected in: sgpkg-ips-73-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: IIS
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in the handling of crafted ASP pages in IIS. A remote attacker can exploit this vulnerability by uploading a crafted ASP page containing an excessively long include file parameter to the target host and then requesting it, which can enable arbitrary code execution with the privileges of the vulnerable web server.
Situation FTP_UL-Excessively-Long-Asp-Include-File-Argument
Comment: Detects an excessively long ASP include file argument
Description: Detects an excessively long ASP include file argument. When a malicious ASP file with a crafted file include directive is executed on the vulnerable web server, non-privileged code exceution may take place on the target host.
Situation HTTP_Excessively-Long-Asp-Include-File-Argument
Comment: Detects an excessively long ASP include file argument
Description: Detects an excessively long ASP include file argument. When a malicious ASP file with a crafted file include directive is executed on the vulnerable web server, non-privileged code exceution may take place on the target host.
References:
CVE-2006-0026
BID-18858
OSVDB-27152
MS06-034
Back to top

MS06-033 HTTP-Microsoft-ASP.NET-Application-Folder-Information-Disclosure

About this vulnerability: Information disclosure vulnerability in Microsoft .NET Framework
Risk: Moderate
First detected in: sgpkg-ips-73-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Microsoft .NET Framework
Type: Malfunction
Description: There is an information disclosure vulnerability in Microsoft .NET Framework due to insufficient URL validition. A successful exploitation allows a remote attacker to gain unauthorized access to known files in the Application Code folder.
Situation HTTP_Microsoft-ASP.NET-Application-Folder-Information-Disclosure
Comment: Detects information disclosure exploits against Microsoft .NET Framework
Description: Detects information disclosure exploits against Microsoft .NET Framework.
References:
CVE-2006-1300
BID-18920
OSVDB-27153
MS06-033
Back to top

MS06-029 Microsoft-Exchange-Server-Outlook-Web-Access-Script-Injection

About this vulnerability: Script code injection vulnerability in Microsoft Exchange Server
Risk: Moderate
First detected in: sgpkg-ips-72-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Exchange Server
Type: Code Injection
Description: Microsoft Exchange Server has a script code injection vulnerability. The vulnerability can be exploited by sending a crafted email message to the target server and persuading a target user to open the message using Outlook Web Access. When the vulnerability is triggered it leads to arbitrary script code execution in the security context of the client's browser.
Situation E-Mail_BS-Microsoft-Exchange-Server-Outlook-Web-Access-Script-Injection
Comment: Detects script code injection exploits against Microsoft Exchange Server
Description: Detects script code injection exploits against Microsoft Exchange Server. A successful exploitation leads to arbitrary script code execution with the privileges of the client's browser when a malicious message is viewed via Outlook Web Access.
References:
CVE-2006-1193
BID-18381
OSVDB-26441
MS06-029
Back to top

MS06-025 MSRPC-Microsoft-Windows-RRAS-Memory-Corruption

About this vulnerability: Buffer overflow vulnerability in Microsoft RRAS service
Risk: Critical
First detected in: sgpkg-ips-71-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: Microsoft Routing and Remote Access service has a buffer overflow vulnerability in the handling of the ServiceRequest function. A parameter passed to the function is copied into a 16-byte buffer without sufficient boundary checking allowing a malicious remote attacker to overrun the buffer and cause a DoS condition or execute arbitrary code with the privileges of the vulnerable service, normally SYSTEM.
Situation MSRPC-TCP_CPS-Microsoft-Windows-RRAS-Memory-Corruption
Comment: Detects buffer overflow exploits against Microsoft RRAS service
Description: This fingerprint detects buffer overflow exploits against Microsoft RRAS service. A successful exploitation may lead to a DoS or a root/system level compromise.
Situation MSRPC-TCP_CPS-Microsoft-Windows-RRAS-Memory-Corruption-2
Comment: Detects buffer overflow exploits against Microsoft RRAS service
Description: This fingerprint detects buffer overflow exploits against Microsoft RRAS service. A successful exploitation may lead to a DoS or a root/system level compromise.
References:
CVE-2006-2370
BID-18325
OSVDB-26437
MS06-025
Back to top

MS06-024 Microsoft-Windows-Media-Player-PNG-Image-Parsing-Buffer-Overflow

About this vulnerability: PNG image parsing buffer overflow in Microsoft Windows Media Player
Risk: High
First detected in: sgpkg-ips-69-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000; Windows XP; Windows 2003
Software: Windows Media Player
Type: Buffer Overflow
Description: Microsoft Windows Media Player has a vulnerability in the processing of the ancillary chunks in PNG images. The program does not check the size of the chunk data before the data is copied into a fixed size buffer. A remote attacker is able to exploit this vulnerability to execute arbitrary code on the victim machine.
Situation HTTP_PNG-Image-With-Large-Data-Length-Value
Comment: PNG image with large data length value in image chunk
Description: Detects a PNG image with a large data length value in an image chunk. This is a possible buffer overflow attack.
Situation E-Mail_BS-PNG-Image-With-Large-Data-Length-Value
Comment: PNG image with large data length value in image chunk
Description: Detects a PNG image with a large data length value in an image chunk. This is a possible buffer overflow attack.
References:
CVE-2006-0025
BID-18385
OSVDB-26430
MS06-024
Back to top

MS06-021 HTTP-Internet-Explorer-Com-Object-Instantiation-Memory-Corruption

About this vulnerability: Memory corruption vulnerability in Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-90-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer
Type: Malfunction
Description: There is a heap memory corruption vulnerability in Internet Explorer. By persuading a target user to visit a malicious web site, a remote attacker can cause a DoS or execute non-privileged arbitrary code on the target host.
Situation HTTP_Internet-Explorer-Com-Object-Instantiation-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. A successful exploit leads to a denial of service condition terminating the affected browser or arbitrary code execution with the privileges of the currently logged in user.
References:
CVE-2006-1303
BID-18328
OSVDB-26442
MS06-021
Back to top

MS06-021 HTTP-Internet-Explorer-Nested-Object-Tag-Memory-Corruption

About this vulnerability: Internet Explorer nested OBJECT tag handling vulnerability
Risk: High
First detected in: sgpkg-ips-65-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer 5.0; Internet Explorer 5.5; Internet Explorer 6.0
Type: Malfunction
Description: Microsoft Internet Explorer has a vulnerability in the handling of nested OBJECT tags. 32 nested OBJECT elements which do not result in the creation of valid objects cause memory corruption, which may allow the execution of arbitrary code with the currently logged in user's privileges. Victims need to be tricked into viewing a malicious HTML page to exploit this vulnerability.
Situation HTTP_Internet-Explorer-Nested-Object-Tag-Memory-Corruption
Comment: Detects HTML pages with multiple nested OBJECT tags, possible Internet Explorer exploit
Description: Detects HTML pages containing 10 or more nested OBJECT tags. Certain versions of Internet Explorer do not handle such pages correctly, resulting in memory corruption when they are viewed. There exists a theoretical use for nested OBJECT tags, as browsers should parse and instantiate any OBJECT tags present inside an unrecognized OBJECT tag to provide a fallback mechanism. This feature is not widely used, but could generate false positives if the fallback chain is 10 objects deep.
References:
CVE-2006-1992
BID-17658
OSVDB-27475
MS06-021
Back to top

MS06-019 Microsoft-Exchange-Calendar-Code-Execution

About this vulnerability: Microsoft Exchange Calendar Code Execution
Risk: Moderate
First detected in: sgpkg-ips-86-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Exchange Server 2000; Exchange Server 2003
Type: Buffer Overflow
Description: Microsoft Exchange Server 2000 and 2003 remote compromise via malformed calendar object.
Situation IMAP_Microsoft-Exchange-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
Situation IMAP_Microsoft-Exchange-Server-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
Situation POP3_CS-Microsoft-Exchange-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
Situation POP3_SS-Microsoft-Exchange-Server-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
Situation E-Mail_BS-Microsoft-Exchange-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
References:
CVE-2006-0027
BID-17908
OSVDB-25338
MS06-019
Back to top

MS06-018 Generic-MSDTC-BuildContextW-Denial-Of-Service

About this vulnerability: Denial of service vulnerability in Microsoft DTC BuildContextW method (MS06-018)
Risk: Moderate
First detected in: sgpkg-ips-66-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: Microsoft Windows Distributed Transaction Coordinator (MSDTC) suffers from a denial of service vulnerability. Remote attackers can cause the MSDTC service to crash by binding to the MSDTC RPC service and sending a malicious request to the BuildContextW method. This vulnerability is similar to the one patched in MS05-051, but does not allow remote code execution.
Situation Generic_MSDTC-BuildContextW-Denial-Of-Service
Comment: Detects denial of service attacks against Microsoft Distributed Transaction Coordinator
Description: This fingerprint detects denial of service attacks against Microsoft Distributed Transaction Coordinator. An RPC request to the BuildContextW method that contains input data with a size between 0x7D0 and 0x1000 bytes can crash the MSDTC service.
Situation MSRPC-TCP_CPS-PnP-MSDTC-BuildContextW-Denial-Of-Service
Comment: Denial of service exploit against Microsoft MSDTC BuildContextW function
Description: Detects requests to MSDTC BuildContextW function that contain a large UuidString or GuidIn string. A successful attack allows remote attackers to cause a denial of service by crashing the vulnerable system.
References:
CVE-2006-1184
BID-17905
OSVDB-25336
MS06-018
Back to top

MS06-017 HTTP-Microsoft-FrontPage-Server-Extensions-Cross-Site-Scripting

About this vulnerability: Cross site scripting vulnerability in Microsoft FrontPage Server Extensions
Risk: Moderate
First detected in: sgpkg-ips-64-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: FrontPage Server Extensions
Type: Cross-site Scripting
Description: The dynamically linked library fpadmdll.dll in Microsoft FrontPage Server Extensions fails to validate the value given in the 'operation' parameter. A remote attacker is able to inject arbitrary HTML or script code into the value of the parameter and use that code to execute cross site scripting attacks in the browsers of other users.
Situation HTTP_CRL-Microsoft-FrontPage-Server-Extensions-Cross-Site-Scripting
Comment: Exploit against cross site scripting vulnerability in Microsoft FrontPage Server Extensions
Description: Detects exploit against cross site scripting vulnerability in Microsoft FrontPage Server Extensions.
References:
CVE-2006-0015
BID-17452
MS06-017
Back to top

MS06-014 RDS.Dataspace-ActiveX-Control-Remote-Code-Execution

About this vulnerability: There is a code execution vulnerability in RDS.Dataspace ActiveX Control
Risk: High
First detected in: sgpkg-ips-97-1314
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Microsoft Data Access Components
Type: Malfunction
Description: There is a remote code execution vulnerability in RDS.Dataspace ActiveX control included in the Microsoft Data Access Components (MDAC).
Situation HTTP_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected.
Situation HTTP_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution-2
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected. This situation detects additional variations of the attack.
Situation HTTP_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution-3
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected.
References:
CVE-2006-0003
BID-17462
OSVDB-24517
MS06-014
Back to top

MS06-013 HTTP-Internet-Explorer-CreateTextRange-Vulnerability

About this vulnerability: Internet Explorer createTextRange vulnerability
Risk: High
First detected in: sgpkg-ips-62-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Internet Explorer 5.0; Internet Explorer 5.5; Internet Explorer 6.0
Type: Malfunction
Description: Microsoft Internet Explorer has a vulnerability in the handling of the createTextRange method. According to documentation, the checkbox, image and radio buttons of an INPUT element do not have the createTextRange method. However, if the method is used by an HTML page, Internet Explorer erroneously attempts to call the method. This may allow arbitrary remote code execution with the current user's privileges via a specially crafted HTML page.
Situation HTTP_Internet-Explorer-CreateTextRange-Vulnerability
Comment: Detects Microsoft Internet Explorer createTextRange exploits
Description: Detects exploits against Microsoft Internet Explorer's createTextRange method. A successful attack allows arbitrary code execution with the privileges of the currently logged in user.
Situation HTTP_SS-Internet-Explorer-CreateTextRange-Vulnerability-2
Comment: Detected attempt to exploit Microsoft Internet Explorer createTextRange vulnerability
Description: Detects exploits against Microsoft Internet Explorer's createTextRange method. A successful attack allows arbitrary code execution with the privileges of the currently logged in user.
References:
CVE-2006-1359
BID-17196
OSVDB-24050
MS06-013
Back to top

MS06-006 HTTP-Windows-Media-Player-Plugin-Embed-Src-Buffer-Overflow

About this vulnerability: Windows Media Player Plug-in long SRC in HTML embed tag buffer overflow (MS06-005
Risk: High
First detected in: sgpkg-ips-60-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Windows Media Player
Type: Buffer Overflow
Description: Windows Media Player provides a plug-in to be used with web browsers for viewing content that Media Player can display. Resources requiring plug-ins can be embedded into HTML pages via a "embed" HTML tag. The Windows Media Players plug-in suffers from a vulnerability where a long SRC value in an embed tag will cause a buffer overflow and allow arbitrary code execution.
Situation HTTP_Windows-Media-Player-Plugin-Embed-Src-Buffer-Overflow
Comment: Exploit against Windows Media Player via a long SRC field in a HTML embed tag (MS06-006)
Description: Detects HTML embed tags containing an SRC field of over 1000 bytes. Such embed tags can overflow a buffer in Windows Media Player browser plug-in, allowing remote attackers to execute arbitrary code on vulnerable systems viewing a malicious HTML page.
References:
CVE-2006-0005
BID-16644
MS06-006
Back to top

MS06-005 BMP-Windows-Media-Player-BMP-Header-Dataoffset-Buffer-Overflow

About this vulnerability: BMP header parsing vulnerability in Windows Media Player (MS06-005)
Risk: High
First detected in: sgpkg-ips-59-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Windows Media Player
Type: Buffer Overflow
Description: Windows Media Player does not parse BMP files correctly. A BMP header with a DataOffset value lower than 0x0e will cause an integer underflow and a buffer overflow, allowing arbitrary code execution.
Situation HTTP_Windows-Media-Player-BMP-Header-Dataoffset-Buffer-Overflow
Comment: Exploit against Windows Media Player via malformed BMP header (MS06-005)
Description: This fingerprint detects exploits against a buffer overflow vulnerability in Windows Media Player's BMP handling functionality.
Situation E-Mail_BS-Windows-Media-Player-BMP-Header-Dataoffset-Buffer-Overflow
Comment: Exploit against Windows Media Player via malformed BMP header (MS06-005)
Description: This fingerprint detects exploits against a buffer overflow vulnerability in Windows Media Player's BMP handling functionality.
References:
CVE-2006-0006
BID-16633
MS06-005
Back to top

MS06-004 WMF-Microsoft-Windows-WMF-Header-Filesize-Buffer-Overflow

About this vulnerability: WMF header parsing vulnerability in Microsoft Windows
Risk: High
First detected in: sgpkg-ips-61-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows 2000; Windows ME
Software: <os>
Type: Buffer Overflow
Description: Certain versions of Microsoft Windows contain a component that does not parse placeable WMF images correctly. A placeable WMF image with the FileSize value in the header set in the range 0x00000000-0x00000008 or 0x80000000-0x80000008 triggers an integer underflow, which later leads to a buffer overflow. Arbitrary remote code execution is possible via a successfull exploit. Internet Explorer uses the vulnerable component to parse WMF images, which allows malicious web pages to easily exploit visitors using the browser.
Situation HTTP_WMF-Microsoft-Windows-WMF-Header-Filesize-Buffer-Overflow
Comment: Detects malformed placeable WMF images with an illegal FileSize value in header (MS06-004)
Description: Detects placeable WMF images with the header's FileSize value set to 0x00000000-0x00000008 or 0x80000000-0x80000008. These are possible buffer overflow exploits against a parsing vulnerability in Windows mshtml.dll (MS06-004).
References:
CVE-2006-0020
BID-16516
OSVDB-22976
MS06-004
Back to top

MS06-003 Microsoft-Exchange-And-Outlook-TNEF-Decoding-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the TNEF decoding in Microsoft Exchange and Outlook
Risk: High
First detected in: sgpkg-ips-54-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: Exchange Server 5.0; Exchange Server 5.5; Exchange Server 2000; Microsoft Outlook
Type: Buffer Overflow
Description: Microsoft Exchange Server and Microsoft Outlook have a buffer overflow vulnerability in the handling of TNEF encoded messages. When a TNEF object record with a large size value is processed by these products, an integer overflow can occur. A remote attacker is able to exploit this vulnerability via a specially crafted email to execute arbitrary code on the victim machine.
Situation E-Mail_BS-Microsoft-Exchange-And-Outlook-TNEF-Decoding-Buffer-Overflow
Comment: Buffer overflow exploit against Microsoft Exchange and Outlook TNEF decoding vulnerability
Description: Detects buffer overflow exploit against Microsoft Exchange and Outlook TNEF decoding vulnerability.
Situation E-Mail_HCS-Microsoft-Exchange-And-Outlook-TNEF-Encoding
Comment: Detects usage of TNEF encoding in SMTP
Description: Detects if TNEF (Transport Neutral Encapsulation Format) encoding is used in SMTP.
References:
CVE-2006-0002
BID-16197
MS06-003
Back to top

MS06-002 Microsoft-Embedded-Web-Font-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the Microsoft Windows embedded web font handling
Risk: High
First detected in: sgpkg-ips-54-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: A buffer overflow vulnerability exists in the Microsoft Windows embedded web font handling component. The data of the embedded font is defined in an EOT (Embedded Open Type) file. A remote attacker is able to create a malicious EOT file which is refered to by an HTML document. If the user views the document then the malicious EOT file is downloaded and processed on the victim host. This allows the attacker to execute arbitrary code on the victim machine.
Situation HTTP_Microsoft-Embedded-Font-EOT-File-Reference
Comment: Reference to EOT file in embedded font definition
Description: Detects reference to EOT (Embedded Open Type) file in embedded font definition in HTML document.
Situation E-Mail_BS-Microsoft-Embedded-Font-EOT-File-Reference
Comment: Reference to EOT file in embedded font definition
Description: Detects reference to EOT (Embedded Open Type) file in embedded font definition.
References:
CVE-2006-0010
BID-16194
OSVDB-18829
MS06-002
Back to top

MS06-001 WMF-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution

About this vulnerability: Windows Graphics Render Engine arbitrary code execution vulnerability
Risk: Critical
First detected in: sgpkg-ips-50-1210
Last changed: sgpkg-ips-273-4219
Platform: Windows
Software: <os>
Type: Malfunction
Description: Microsoft Windows Graphics Render Engine has an buffer overflow vulnerability in the code rendering WMF (Windows Metafile Format) images. The vulnerability allows arbitrary code execution when a malicious WMF file is opened with the vulnerable Windows component.
Situation FTP_DL-WMF-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious WMF files
Description: This fingerprint detects malicious WMF files transferred via FTP. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components.
Situation FTP_DL-WMF-Metasploit-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious Metasploit-made WMF files
Description: This fingerprint detects malicious Metasploit-made WMF files transferred via FTP. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components.
Situation HTTP_WMF-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious WMF files being downloaded from HTTP servers
Description: This fingerprint detects malicious WMF files being downloaded from HTTP servers. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components. WMF files viewed with Internet Explorer are by default opened in Windows Picture and Fax Viewer, which uses the vulnerable component. This allows remote attackers to easily execute arbitrary code on victim systems by tricking them into viewing a crafted WMF image with Internet Explorer.
Situation HTTP_WMF-Metasploit-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious Metasploit-made WMF files being downloaded from HTTP servers
Description: This fingerprint detects malicious Metasploit-made WMF files being downloaded from HTTP servers. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components. WMF files viewed with Internet Explorer are by default opened in Windows Picture and Fax Viewer, which uses the vulnerable component. This allows remote attackers to easily execute arbitrary code on victim systems by tricking them into viewing a crafted WMF image with Internet Explorer.
Situation E-Mail_BS-WMF-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious WMF files
Description: This fingerprint detects malicious WMF files transferred via SMTP. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components.
Situation E-Mail_BS-WMF-Metasploit-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious Metasploit-made WMF files
Description: This fingerprint detects malicious Metasploit-made WMF files transferred via SMTP. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components.
References:
CVE-2005-4560
BID-16074
MS06-001
Back to top

MS06-064 Windows_Xp_2003_Land_Attack_DoS

About this vulnerability: Windows XP and 2003 land attack Denial of Service
Risk: Low
First detected in: sgpkg-ips-253-3038
Last changed: sgpkg-ips-273-4219
Platform: Windows XP SP2; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: Windows XP SP2 and Windows 2003 suffer from a denial of service vulnerability when receiving spoofed SYN packets from their own address.
Situation DOS_LAND
Comment: Targa2 DoS: land attack
Description: Detected a Denial-of-Service attack from Targa2 attack set. Land attack send TCP SYN with source IP address set to the same address than target IP address. Because source IP address is spoofed to be the same as destination IP address, it is typically not possible to identify source of the attack from the log event. Risk analysis: Risk level is medium.
References:
CVE-2005-0688
MS06-064
MS05-019
Back to top