Support

The Stonesoft Technical Services Team is committed to providing high-quality, results-driven service to customers and partners, world-wide.

Microsoft Vulnerabilities and Situations for 2006 in sgpkg-ips-578-5211

Vulnerabilities


MS06-078 HTTP-Microsoft-Windows-Media-Player-ASX-Playlist-Parsing-Buffer-Overflow

About this vulnerability: Microsoft Windows Media Player suffers buffer overflow in playlist parsing
Risk: Moderate
First detected in: sgpkg-ips-89-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows 2000; Windows XP; Windows 2003
Software: Windows Media Player
Type: Buffer Overflow
Description: There is a buffer overflow in the way Microsoft Windows Media Player handles references to unregistered protocols in playlists.
SituationHTTP_Microsoft-Windows-Media-Player-ASX-Playlist-Parsing-Buffer-Overflow
Comment: Detects exploit attempts to playlist handling of Microsoft Windows Media Player.
Description: Detects attempts to exploit a buffer overflow vulnerability in Microsoft Windows Media Player. The vulnerability lies in the way how Windows Media Player handles unregistered protocol identifiers in playlists.
SituationFile-TextId_Microsoft-Windows-Media-Player-ASX-Playlist-Parsing-Buffer-Overflow
Comment: Detects exploit attempts to playlist handling of Microsoft Windows Media Player.
Description: Detects attempts to exploit a buffer overflow vulnerability in Microsoft Windows Media Player. The vulnerability lies in the way how Windows Media Player handles unregistered protocol identifiers in playlists.
References:
CVE-2006-6134
BID-21247
MS06-078
Back to top

MS06-077 TFTP-Microsoft-RIS-TFTP-Service-Write-Access-Vulnerability

About this vulnerability: RIS TFTP Service allows anonymous remote write access by default
Risk: High
First detected in: sgpkg-ips-87-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: Microsoft RIS TFTP Server
Type: Insecure Configuration
Description: There is a file overwrite vulnerability in the Microsoft Windows Remote Installation Service. The Remote Installation Service (RIS) includes a TFTP server that is configured by default to allow anonymous users to update and overwrite files. This vulnerability allows an attacker to compromise operating installs offered by the RIS server.
SituationTFTP_Microsoft-RIS-TFTP-Write-Access
Comment: TFTP System File Write Access
Description: A TFTP system file write attempt has been detected. The Microsoft Windows Remote Installation Service has a TFTP service that allows unauthenticated remote users to write and modify system files that are distributed via RIS to remote clients. This allows the remote attacker to compromise the client systems.
References:
CVE-2006-5584
BID-21495
MS06-077
Back to top

MS06-074 SNMP-Microsoft-SNMP-Service-Buffer-Overflow

About this vulnerability: Microsoft SNMP Service contains suffers buffer overflow
Risk: Moderate
First detected in: sgpkg-ips-87-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows 2000; Windows XP; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: There is a remote code execution vulnerability in Microsoft SNMP service. The vulnarability is caused by the insufficient validation of certain certain parameters of the SNMP request.
SituationSNMP-UDP_Microsoft-SNMP-Service-Buffer-Overflow
Comment: Microsoft SNMP Service Buffer Overflow
Description: Detects attempts to exploit a buffer overflow in the Microsoft SNMP service.
SituationSNMP-UDP_GetBulkRequest-With-Nonzero-Nonrepeaters-And-Maxrepeaters-Values
Comment: Potential exploit against the Microsoft SNMP Service Buffer Overflow
Description: Detects getBulkRequest SNMP packets with non-zero non-repeaters and max-repeaters values. These values may also be present in normal traffic, but can be an attempt to exploit a buffer overflow in the Microsoft SNMP Service.
SituationSNMP-UDP_GetBulkRequest-With-Nonzero-Nonrepeaters-And-Large-Maxrepeaters-Value
Comment: Potential exploit against the Microsoft SNMP Service Buffer Overflow
Description: Detects getBulkRequest SNMP packets with a non-zero non-repeaters valua and an excessively large max-repeaters values. These packets can be used to cause a buffer overflow in the Microsoft SNMP Service.
References:
CVE-2006-5583
BID-21537
MS06-074
Back to top

MS06-073 HTTP-Microsoft-Visual-Studio-WMI-Object-Broker-ActiveX-Code-Execution

About this vulnerability: Access control vulnerability in Microsoft Visual Studio 2005
Risk: Moderate
First detected in: sgpkg-ips-84-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Microsoft Visual Studio 2005
Type: Malfunction
Description: There is an access control vulnerability in Microsoft Visual Studio 2005. The vulnerability can be exploited by persuading a target user to view a malicious HTML page. This allows non-privileged code execution.
SituationHTTP_Microsoft-Visual-Studio-WMI-Object-Broker-ActiveX-Control-Usage
Comment: Detects WMI Object Broker ActiveX Control usage that can be considered suspicious
Description: Detects WMI Object Broker ActiveX Control usage that can be considered suspicious. A remote attacker can persuade a target user to visit a crafted web page containing script code that calls the CreateObject function of the affected ActiveX Control. A successful exploitation allows code execution with the privileges of the currently logged in user.
SituationFile-Text_Microsoft-Visual-Studio-WMI-Object-Broker-ActiveX-Control-Usage
Comment: Detects WMI Object Broker ActiveX Control usage that can be considered suspicious
Description: Detects WMI Object Broker ActiveX Control usage that can be considered suspicious. A remote attacker can persuade a target user to visit a crafted web page containing script code that calls the CreateObject function of the affected ActiveX Control. A successful exploitation allows code execution with the privileges of the currently logged in user.
References:
CVE-2006-4704
BID-20843
MS06-073
Back to top

MS06-071 HTTP-Microsoft-Xml-Core-Services-ActiveX-Control-Code-Exectution

About this vulnerability: A vulnerability in Microsoft XML Core Services allows code execution
Risk: Moderate
First detected in: sgpkg-ips-90-1314
Last changed: sgpkg-ips-518-5211
Platform: Generic
Software: Microsoft XML Core Services
Type: Malfunction
Description: There is a vulnerability in the Microsoft XML Core Services (XMLHTTP) ActiveX component. A malicious HTML page can be used to execute code in the context of the local user.
SituationHTTP_SS-Microsoft-Xml-Core-Services-ActiveX-Control-Code-Execution
Comment: An attempt to exploit a vulnerability in Microsoft XML Core Services detected
Description: An attempt to exploit a vulnerability in the Microsoft XML Core Services (XMLHTTP) MHTML protocol handler of Microsoft Internet Explorer was detected. This can lead to code execution in the context of the local user.
SituationFile-Text_Microsoft-Xml-Core-Services-ActiveX-Control-Code-Execution
Comment: An attempt to exploit a vulnerability in Microsoft XML Core Services detected
Description: An attempt to exploit a vulnerability in the Microsoft XML Core Services (XMLHTTP) MHTML protocol handler of Microsoft Internet Explorer was detected. This can lead to code execution in the context of the local user.
References:
CVE-2006-5745
BID-20915
MS06-071
Back to top

MS06-071 Microsoft-XMLHTTP-ActiveX-Control-Code-Execution

About this vulnerability: Code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services
Risk: High
First detected in: sgpkg-ips-173-2032
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Microsoft XML Core Services
Type: Malfunction
Description: There is a code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services. A remote attacker can exploit the vulnerability by enticing a user to visit a malicious web page with a vulnerable version of the affected product installed to execute non-privileged arbitrary code on the user's system.
SituationHTTP_SS-Microsoft-XMLHTTP-ActiveX-Control-Code-Execution
Comment: Attempt to exploit a code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services detected
Description: An attempt to exploit a code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services was detected. A successful exploit allows remote attackers to execute non-privileged arbitrary code on the vulnerable system.
SituationFile-Text_Microsoft-XMLHTTP-ActiveX-Control-Code-Execution
Comment: Attempt to exploit a code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services detected
Description: An attempt to exploit a code execution vulnerability in the XMLHTTP ActiveX Control included with Microsoft XML Core Services was detected. A successful exploit allows remote attackers to execute non-privileged arbitrary code on the vulnerable system.
References:
CVE-2006-5745
BID-20915
MS06-071
Back to top

MS06-070 MSRPC-Workstation-Service-Account-Name-Buffer-Overflow

About this vulnerability: MSRPC Workstation Service Account Name Buffer Overflow detected
Risk: Moderate
First detected in: sgpkg-ips-507-5211
Last changed: sgpkg-ips-545-5211
Platform: Windows 2000; Windows XP
Software: <os>
Type: Buffer Overflow
Description: There is a remote code execution vulnerability in the Microsoft Windows Workstation service. The vulnerability is caused by the incorrect processing of long arguments in specially crafted RPC calls. A remote attacker may exploit this vulnerability to cause a denial of service condition or inject and execute arbitrary code on the vulnerable system within the security context of the affected service, which is normally System.
References:
CVE-2006-4691
BID-20985
MS06-070
Back to top

MS06-070 MSRPC-Workstation-Service-Buffer-Overflow-MS06-070

About this vulnerability: MSRPC Workstation Service Buffer Overflow MS06-070
Risk: High
First detected in: sgpkg-ips-84-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows 2000; Windows XP
Software: <os>
Type: Buffer Overflow
Description: There is a remote code execution vulnerability in the Microsoft Windows Workstation service. The vulnerability is caused by the incorrect processing of long arguments in specially crafted RPC calls. A remote attacker may exploit this vulnerability to cause a denial of service condition or inject and execute arbitrary code on the vulnerable system within the security context of the affected service, which is normally System.
SituationMSRPC-TCP_CPS-Microsoft-Windows-Workstation-Service-BOF-MS06-070-2
Comment: Detected exploit on NetrJoinDomain Account Name
Description: An attempt to exploit a buffer overflow vulnerability (MS06-070) in the workstation service has been detected. A successful exploit allows the remote attacker to execute arbitrary code using system privileges.
SituationMSRPC-TCP_CPS-Microsoft-Windows-Workstation-Service-BOF-MS06-070
Comment: Detected exploit on MS06-070
Description: An attempt to exploit a buffer overflow vulnerability (MS06-070) in the workstation service has been detected. A successful exploit allows the remote attacker to execute arbitrary code using system privileges.
References:
CVE-2006-4691
BID-20985
MS06-070
Back to top

MS06-069 Microsoft-Excel-Embedded-Shockwave-Flash-Object-Code-Execution

About this vulnerability: Flash based code execution vulnerability in Microsoft Excel
Risk: Moderate
First detected in: sgpkg-ips-71-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: Microsoft Excel
Type: Malfunction
Description: Microsoft Excel has a Flash-based code execution vulnerability. The vulnerability can be exploited by persuading a user to open a specially crafted Excel file containing an embedded Shockwave Flash Object, leading to arbitrary script code execution.
SituationHTTP_Microsoft-Excel-Embedded-Flash-Object-JavaScript-Code-Execution
Comment: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file
Description: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file.
SituationE-Mail_BS-Microsoft-Excel-Embedded-Flash-Object-JavaScript-Code-Execution
Comment: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file
Description: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file.
SituationFile-OLE_Microsoft-Excel-Embedded-Flash-Object-JavaScript-Code-Execution
Comment: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file
Description: Detects JavaScript code execution attempts via a Flash object in a crafted Excel file.
References:
CVE-2006-3014
BID-18583
MS06-069
Back to top

MS06-067 HTTP-Internet-Explorer-Daxctle.ocx-KeyFrame-Method-Memory-Corruption

About this vulnerability: Memory corruption vulnerability in Internet Explorer
Risk: High
First detected in: sgpkg-ips-80-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Malfunction
Description: There is a memory corruption vulnerability in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary non-privileged code execution on the victim's computer.
SituationHTTP_SS-Internet-Explorer-Daxctle.ocx-KeyFrame-Method-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. By delivering a crafted web page containing a KeyFrame function call with a malicious first argument to the target user who opens it with the affected browser, a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
SituationFile-Text_Internet-Explorer-Daxctle.ocx-KeyFrame-Method-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. By delivering a crafted web page containing a KeyFrame function call with a malicious first argument to the target user who opens it with the affected browser, a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
References:
CVE-2006-4777
BID-19738
OSVDB-28842
MS06-067
Back to top

MS06-067 HTTP-Microsoft-Internet-Explorer-Daxctle.ocx-Spline-Method-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the handling of the Spline method in Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-79-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in the handling of the Spline method in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary non-privileged code execution on the victim's computer.
SituationHTTP_Microsoft-Internet-Explorer-Daxctle.ocx-Spline-Method-Buffer-Overflow
Comment: Detects buffer oveflow exploits against Internet Explorer
Description: Detects buffer oveflow exploits against Internet Explorer. By delivering a crafted web page containing a Spline function call with a malicious first argument to the target user who opens it with the affected browser a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
SituationFile-Text_Microsoft-Internet-Explorer-Daxctle.ocx-Spline-Method-Buffer-Overflow
Comment: Detects buffer oveflow exploits against Internet Explorer
Description: Detects buffer oveflow exploits against Internet Explorer. By delivering a crafted web page containing a Spline function call with a malicious first argument to the target user who opens it with the affected browser a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
References:
CVE-2006-4446
BID-19738
OSVDB-28841
MS06-067
Back to top

MS06-067 HTTP-WinZip-FileView-ActiveX-Control-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in WinZip
Risk: High
First detected in: sgpkg-ips-85-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: WinZip
Type: Buffer Overflow
Description: WinZip has a stack-based buffer overflow vulnerability. A target user with a vulnerable version of the affected product can be persuaded to visit a malicious web page containing an excessively long value assigned to the FilePattern property of the FileView object. This leads to a DoS or code execution with the privileges of the currently logged in user.
SituationHTTP_WinZip-FileView-ActiveX-Control-Buffer-Overflow
Comment: Detects buffer overflow exploits against the WinZip FileView ActiveX control
Description: Detects buffer overflow exploits against the WinZip FileView ActiveX control. A successful exploitation causes a DoS terminating the vulnerable product or allows non-privileged code execution.
SituationFile-Text_WinZip-FileView-ActiveX-Control-Buffer-Overflow
Comment: Detects buffer overflow exploits against the WinZip FileView ActiveX control
Description: Detects buffer overflow exploits against the WinZip FileView ActiveX control. A successful exploitation causes a DoS terminating the vulnerable product or allows non-privileged code execution.
References:
CVE-2006-5198
BID-21060
OSVDB-30433
MS06-067
Back to top

MS06-066 MSRPC-Microsoft-Client-Service-For-NetWare-Memory-Corruption

About this vulnerability: Buffer overflow vulnerability in the Microsoft Client Service for NetWare
Risk: Critical
First detected in: sgpkg-ips-85-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: Microsoft Client Service for NetWare has a stack-based buffer overflow vulnerability. By sending a malformed RPC request to an affected system a remote attacker can cause a DoS or execute arbitrary code with the privileges of the vulnerable service, normally System.
SituationMSRPC-TCP_CPS-Microsoft-Client-Service-For-NetWare-Memory-Corruption
Comment: Buffer overflow exploit against the Microsoft Client Service for NetWare
Description: Detects buffer overflow exploits against the Microsoft Client Service for NetWare. A successful exploitation may lead to a DoS or a root/system level compromise.
References:
CVE-2006-4688
BID-20984
OSVDB-30260
MS06-066
Back to top

MS06-064 Windows_Xp_2003_Land_Attack_DoS

About this vulnerability: Windows XP and 2003 land attack Denial of Service
Risk: Low
First detected in: sgpkg-ips-253-3038
Last changed: sgpkg-ips-545-5211
Platform: Windows XP SP2; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: Windows XP SP2 and Windows 2003 suffer from a denial of service vulnerability when receiving spoofed SYN packets from their own address.
SituationDOS_LAND
Comment: Targa2 DoS: land attack
Description: Detected a Denial-of-Service attack from Targa2 attack set. Land attack send TCP SYN with source IP address set to the same address than target IP address. Because source IP address is spoofed to be the same as destination IP address, it is typically not possible to identify source of the attack from the log event. Note: This situation is made from invalid packet, so all other matching constraints than the situation id is ignored. Also please note that this situation must be correlated in the log server context. Risk analysis: Risk level is medium.
References:
CVE-2005-0688
MS06-064
MS05-019
Back to top

MS06-063 Microsoft-Windows-Server-Driver-Crafted-SMB-Packet-DoS

About this vulnerability: Denial of service vulnerability in the handling of crafted SMB packets in Microsoft Windows
Risk: Moderate
First detected in: sgpkg-ips-77-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows 2000 SP4; Windows XP SP1; Windows XP SP2; Windows 2003 SP0; Windows 2003 SP1
Software: <os>
Type: Malfunction
Description: There is a denial of service vulnerability in the handling of crafted SMB packets in Microsoft Windows due to NULL pointer dereference error in the server driver.
SituationSMB-TCP_Microsoft-Windows-Server-Crafted-SMB-Packet
Comment: Detects possible DOS against Microsoft Windows via a crafted SMB packet
Description: Detects possible denial of service exploits against Microsoft Windows via a crafted SMB packet. This situation is known to generate alse positives.
SituationSMB-TCP_Microsoft-Windows-Server-Crafted-SMB-Packet-DOS
Comment: Detects possible DOS against Microsoft Windows via a crafted SMB packet
Description: Detects possible denial of service exploits against Microsoft Windows via a crafted SMB packet.
References:
CVE-2006-3942
BID-19215
OSVDB-27644
MS06-063
Back to top

MS06-063 Microsoft-Windows-Server-Service-SMB-Rename-Code-Execution

About this vulnerability: Detects remote code execution exploits against Microsoft Windows via a crafted SMB Rename request
Risk: Moderate
First detected in: sgpkg-ips-82-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows 2000 SP4; Windows XP SP1; Windows XP SP2; Windows 2003; Windows 2003 SP1
Software: <os>
Type: Malfunction
Description: There is a remote code execution vulnerability in the handling of crafted SMB Rename requests in Microsoft Windows. By successfully exploiting this vulnerability, an authenticated remote attacker can cause a DoS or execute arbitrary code with SYSTEM privileges.
SituationSMB-TCP_CHS-Microsoft-Windows-Server-Service-SMB-Rename-Code-Execution
Comment: Detects remote code execution exploits against Microsoft Windows via a crafted SMB Rename request
Description: Detects remote code execution exploits against Microsoft Windows via a crafted SMB Rename request. A successful exploitation requires valid user credentials and leads to a DoS or a root/system-level compromise.
References:
CVE-2006-4696
BID-20373
MS06-063
Back to top

MS06-059 Microsoft-Excel-Colinfo-Record-Buffer-Overflow

About this vulnerability: A vulnerability in Microsoft Excel
Risk: Moderate
First detected in: sgpkg-ips-415-4219
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Microsoft Excel; Microsoft Excel Viewer; Microsoft Office; Microsoft Works
Type: Buffer Overflow
Description: There exists a buffer overflow vulnerability in Microsoft Excel. The flaw is caused by insufficient checks while parsing COLINFO Records in the Excel files. A remote attacker can exploit this vulnerability by enticing the target user to open a crafted Excel file, potentially causing arbitrary code to be injected and executed in the security context of the current user. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Excel application will terminate or the application will stop responding. This can potentially lead to a loss of data. In a more sophisticated attack, where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
SituationFile-OLE_Microsoft-Excel-Colinfo-Record-Buffer-Overflow
Comment: An attempt to exploit a vulnerability in Microsoft Excel detected
Description: There exists a buffer overflow vulnerability in Microsoft Excel. The flaw is caused by insufficient checks while parsing COLINFO Records in the Excel files. A remote attacker can exploit this vulnerability by enticing the target user to open a crafted Excel file, potentially causing arbitrary code to be injected and executed in the security context of the current user. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Excel application will terminate or the application will stop responding. This can potentially lead to a loss of data. In a more sophisticated attack, where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
References:
CVE-2006-3875
BID-20391
MS06-059
Back to top

MS06-059 Microsoft-Excel-For-Asian-Languages-Style-Handling-Buffer-Overflow

About this vulnerability: A vulnerability in Microsoft Excel
Risk: Moderate
First detected in: sgpkg-ips-414-4219
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Microsoft Excel; Microsoft Excel Viewer; Microsoft Office
Type: Buffer Overflow
Description: There exists a buffer overflow vulnerability in numerous versions of Microsoft Excel. The flaw is caused by insufficient checks when handling the Style record of the document, resulting in a stack buffer overflow. An attacker can leverage this vulnerability by enticing a user to open a crafted Excel Spreadsheet document, thereby injecting and executing arbitrary code. The vendor has released an updated security bulletin addressing this issue in the 2006 October patch release cycle. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Excel application will terminate. This can potentially lead to loss of data in cases where spreadsheet documents are open. In a more sophisticated attack scenario where code injection is successful, the behaviour of the target host is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user. The affected application would also most likely stop functioning as a result of such an attack.
SituationFile-OLE_Microsoft-Excel-For-Asian-Languages-Style-Handling-Buffer-Overflow
Comment: An attempt to exploit a vulnerability in Microsoft Excel detected
Description: There exists a buffer overflow vulnerability in numerous versions of Microsoft Excel. The flaw is caused by insufficient checks when handling the Style record of the document, resulting in a stack buffer overflow. An attacker can leverage this vulnerability by enticing a user to open a crafted Excel Spreadsheet document, thereby injecting and executing arbitrary code. The vendor has released an updated security bulletin addressing this issue in the 2006 October patch release cycle. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Excel application will terminate. This can potentially lead to loss of data in cases where spreadsheet documents are open. In a more sophisticated attack scenario where code injection is successful, the behaviour of the target host is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user. The affected application would also most likely stop functioning as a result of such an attack.
References:
CVE-2006-3431
BID-18872
MS06-059
Back to top

MS06-057 HTTP-Microsoft-Internet-Explorer-SetSlice-Method-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in Internet Explorer
Risk: High
First detected in: sgpkg-ips-81-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary non-privileged code execution on the victim's computer.
SituationHTTP_SS-Microsoft-Internet-Explorer-SetSlice-Method-Buffer-Overflow
Comment: Detects buffer overflow exploits against Internet Explorer
Description: Detects buffer overflow exploits against Internet Explorer. By persuading a target user to visit a crafted web page containing a setSlice method with a malformed first argument, a remote attacker can terminate the affected browser or execute arbitrary code in the security context of the currently logged in user.
SituationFile-Text_Microsoft-Internet-Explorer-SetSlice-Method-Buffer-Overflow
Comment: Detects buffer overflow exploits against Internet Explorer
Description: Detects buffer overflow exploits against Internet Explorer. By persuading a target user to visit a crafted web page containing a setSlice method with a malformed first argument, a remote attacker can terminate the affected browser or execute arbitrary code in the security context of the currently logged in user.
References:
CVE-2006-3730
BID-19030
OSVDB-27110
MS06-057
Back to top

MS06-055 HTTP-Microsoft-Internet-Explorer-VML-Rect-Fill-Method-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in Internet Explorer
Risk: High
First detected in: sgpkg-ips-80-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary non-privileged code execution on the victim's computer.
SituationHTTP_SS-Microsoft-Internet-Explorer-VML-Rect-Fill-Method-Buffer-Overflow
Comment: Detects buffer overflow exploits against Internet Explorer
Description: Detects buffer overflow exploits against Internet Explorer. By delivering a crafted web page containing an excessively long fill method inside a rect tag to the target user who opens it with the affected browser, a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
SituationFile-Text_Microsoft-Internet-Explorer-VML-Rect-Fill-Method-Buffer-Overflow
Comment: Detects buffer overflow exploits against Internet Explorer
Description: Detects buffer overflow exploits against Internet Explorer. By delivering a crafted web page containing an excessively long fill method inside a rect tag to the target user who opens it with the affected browser, a remote attacker can terminate the browser or execute arbitrary code in the security context of the currently logged in user.
References:
CVE-2006-4868
BID-20096
OSVDB-28946
MS06-055
Back to top

MS06-050 Microsoft-Excel-Crafted-Url-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in Microsoft Excel
Risk: High
First detected in: sgpkg-ips-71-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: Microsoft Excel
Type: Buffer Overflow
Description: Microsoft Excel has a buffer overflow vulnerability in the handling of excessively long strings in link objects. The vulnerability can be exploited by persuading a user to open a specially crafted Excel file and to follow a malicious link, causing a DoS condition terminating all instances of the Microsoft Excel application, and potentially leading to a loss of data or arbitrary code execution with the privileges of the currently logged in user.
SituationHTTP_Microsoft-Excel-Crafted-Url-Buffer-Overflow
Comment: Detects malicious Microsoft Excel files with a crafted HLINK record
Description: Detects malicious Microsoft Excel files with a crafted link object. When the target user opens the file and clicks a crafted link, non-privileged code execution may occur.
SituationE-Mail_BS-Microsoft-Excel-Crafted-Url-Buffer-Overflow
Comment: Detects malicious Microsoft Excel files with a crafted HLINK record
Description: Detects malicious Microsoft Excel files with a crafted link object. When the target user opens the file and clicks a crafted link, non-privileged code execution may occur.
SituationFile-OLE_Microsoft-Excel-Crafted-Url-Buffer-Overflow
Comment: Detects malicious Microsoft Excel files with a crafted HLINK record
Description: Detects malicious Microsoft Excel files with a crafted link object. When the target user opens the file and clicks a crafted link, non-privileged code execution may occur.
References:
CVE-2006-3086
BID-18500
OSVDB-26666
MS06-050
Back to top

MS06-046 Microsoft-Internet-Explorer-Hhctrl.ocx-Image-Property-Heap-Corruption

About this vulnerability: A vulnerability in Microsoft Internet Explorer
Risk: High
First detected in: sgpkg-ips-368-4219
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer 6.0
Type: Buffer Overflow
Description: There exists a heap memory corruption vulnerability in the Microsoft Internet Explorer browser. The flaw is caused by an improper check during processing of a specially crafted Image property of a specific HTML Help Control ActiveX Object. An attacker can exploit this vulnerability to inject and execute arbitrary code in the security context of the currently logged in user. Upon an attack where code execution is unsuccessful, the affected browser will terminate. The behaviour of the host system after an attack attempt resulting in arbitrary code injection and its subsequent execution is dependent on the intention of the injected code. The injected code will be run in the security context of the currently logged in user.
SituationHTTP_SS-Microsoft-Internet-Explorer-Hhctrl.ocx-Image-Property-Heap-Corruption
Comment: An attempt to exploit a vulnerability in Microsoft Internet Explorer detected
Description: There exists a heap memory corruption vulnerability in the Microsoft Internet Explorer browser. The flaw is caused by an improper check during processing of a specially crafted Image property of a specific HTML Help Control ActiveX Object. An attacker can exploit this vulnerability to inject and execute arbitrary code in the security context of the currently logged in user. Upon an attack where code execution is unsuccessful, the affected browser will terminate. The behaviour of the host system after an attack attempt resulting in arbitrary code injection and its subsequent execution is dependent on the intention of the injected code. The injected code will be run in the security context of the currently logged in user.
SituationFile-Text_Microsoft-Internet-Explorer-Hhctrl.ocx-Image-Property-Heap-Corruption
Comment: An attempt to exploit a vulnerability in Microsoft Internet Explorer detected
Description: There exists a heap memory corruption vulnerability in the Microsoft Internet Explorer browser. The flaw is caused by an improper check during processing of a specially crafted Image property of a specific HTML Help Control ActiveX Object. An attacker can exploit this vulnerability to inject and execute arbitrary code in the security context of the currently logged in user. Upon an attack where code execution is unsuccessful, the affected browser will terminate. The behaviour of the host system after an attack attempt resulting in arbitrary code injection and its subsequent execution is dependent on the intention of the injected code. The injected code will be run in the security context of the currently logged in user.
References:
CVE-2006-3357
BID-18769
OSVDB-26835
MS06-046
Back to top

MS06-045 Windows-Explorer-HTA-CLSID-System-Compromise

About this vulnerability: Windows Explorer HTA CLSID system compromise vulnerability
Risk: Moderate
First detected in: sgpkg-ips-75-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows 2000 SP4; Windows XP SP1; Windows XP SP2; Windows 2003
Software: <os>
Type: Directory Traversal
Description: Windows Explorer suffers from a vulnerability where script files can be executed without security restrictions. Files whose extension is a CLSID defined in Windows registry are recognized and executed with a specified program. In the case of HTA files with the CLSID {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} mshta.exe is executed. If the filename contains URI-encoded directory traversal sequences, mshta.exe will normalize it and open a file in a different directory without security restrictions. This allows remote attackers to execute arbitrary code by enticing users to open a malicious file with Windows Explorer, possibly over WebDAV or SMB shares.
SituationHTTP_CSU-Windows-Explorer-HTA-CLSID-System-Compromise-2
Comment: Detects attempts to exploit the Windows Explorer HTA vulnerability over WebDAV
Description: Detects directory traversal sequences and a CLSID associated with HTA applications from HTTP traffic. A successful exploit allows arbitrary remote code execution, but requires the user to view a malicious folder with Windows Explorer.
SituationHTTP_CS-Windows-Explorer-HTA-CLSID-System-Compromise
Comment: Detects attempts to exploit the Windows Explorer HTA vulnerability over WebDAV
Description: Detects directory traversal sequences and a CLSID associated with HTA applications from HTTP traffic. A successful exploit allows arbitrary remote code execution, but requires the user to view a malicious folder with Windows Explorer.
SituationSMB-TCP_Windows-Explorer-HTA-CLSID-System-Compromise
Comment: Detects attempts to exploit the Windows Explorer HTA vulnerability over SMB
Description: Detects directory traversal sequences and a CLSID associated with HTA applications from SMB traffic. A successful exploit allows arbitrary remote code execution, but requires the user to view a malicious folder with Windows Explorer.
References:
CVE-2006-3281
BID-19389
MS06-045
Back to top

MS06-044 HTTP-Microsoft-Management-Console-Cross-Site-Scripting

About this vulnerability: A vulnerability in Microsoft Management Console allows cross site scripting
Risk: High
First detected in: sgpkg-ips-91-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows 2000 SP4
Software: <os>
Type: Cross-site Scripting
Description: There is a cross site scripting vulnerability in the Microsoft Windows, which allows Microsoft Management Console components to be referenced from a web page. This can be used to execute code in the local zone leading to system compromise.
SituationHTTP_Microsoft-Management-Console-Cross-Site-Scripting
Comment: An attempt to exploit a vulnerability in the Microsoft Management Console detected
Description: An attempt to exploit a cross site scripting vulnerability in the Microsoft Management Console was detected. The Microsoft Management Console is included in Microsoft Windows.
SituationFile-Text_Microsoft-Management-Console-Cross-Site-Scripting
Comment: An attempt to exploit a vulnerability in the Microsoft Management Console detected
Description: An attempt to exploit a cross site scripting vulnerability in the Microsoft Management Console was detected. The Microsoft Management Console is included in Microsoft Windows.
References:
CVE-2006-3643
BID-19417
MS06-044
Back to top

MS06-043 HTTP-Microsoft-Internet-Explorer-MHTML-URI-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the handling of excessively long MHTML URI strings in Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-70-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Buffer Overflow
Description: Internet Explorer has a buffer overflow vulnerability in the handling of excessively long MHTML URI strings. An exploitation of this vulnerability requires persuading a user running the vulnerable web browser to visit a crafted web page that contains an excessively long MHTML URI string as a link. When the malicious link is clicked by the target user, the vulnerability is triggered and the vulnerable browser terminated.
SituationHTTP_Microsoft-Internet-Explorer-MHTML-URI-Buffer-Overflow
Comment: Detects MHTML URI buffer overflow exploits against Internet Explorer
Description: Detects MHTML URI buffer overflow exploits against Internet Explorer. A successful exploitation leads to a termination of the vulnerable web browser.
SituationFile-Text_Microsoft-Internet-Explorer-MHTML-URI-Buffer-Overflow
Comment: Detects MHTML URI buffer overflow exploits against Internet Explorer
Description: Detects MHTML URI buffer overflow exploits against Internet Explorer. A successful exploitation leads to a termination of the vulnerable web browser.
References:
CVE-2006-2766
BID-18198
OSVDB-25949
MS06-043
Back to top

MS06-042 HTTP-Internet-Explorer-DirectAnimation.DATuple-Com-Object-Memory-Corruption

About this vulnerability: Memory corruption vulnerability in Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-79-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Malfunction
Description: There is a memory corruption vulnerability in the handling of a reference to a certain COM object that is not an ActiveX component in Internet Explorer. The vulnerability can be exploited by persuading a target user to view a malicious HTML page with a vulnerable browser. This causes a DoS or arbitrary code execution with the privileges of the currently logged in user.
SituationHTTP_Internet-Explorer-DirectAnimation.DATuple-Com-Object-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. Internet Explorer fails to correctly handle the initiation of a certain COM object that is not an ActiveX component. This allows an attacker to cause a DoS or execute arbitrary code with the privileges of the currently logged in user.
SituationFile-Text_Internet-Explorer-DirectAnimation.DATuple-Com-Object-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. Internet Explorer fails to correctly handle the initiation of a certain COM object that is not an ActiveX component. This allows an attacker to cause a DoS or execute arbitrary code with the privileges of the currently logged in user.
References:
CVE-2006-3638
BID-19340
OSVDB-27852
MS06-042
Back to top

MS06-041 Microsoft-Windows-DNS-Client-Buffer-Overrun

About this vulnerability: A vulnerability in Microsoft Windows
Risk: Moderate
First detected in: sgpkg-ips-415-4219
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: There exists a buffer overflow vulnerability in the DNS client component of Microsoft Windows. The flaw is caused by the improper processing of crafted DNS messages. A remote attacker may leverage this vulnerability by sending crafted DNS responses to the affected service, resulting in the possible injection and execution of arbitrary code on the target system. Any injected code would be executed within the security context of the System user. In an attack case where code injection is not successful, the affected service will terminate abnormally. As the service is integral to the function of the operating system, the operating system will be shutdown. It is likely that the system will continue this behaviour after restarting, since it will attempt to use the DNS service to locate certain servers upon startup. In a more sophisticated attack where code injection results is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the SYSTEM account.
SituationDNS-TCP_Microsoft-Windows-DNS-Client-Buffer-Overrun
Comment: An attempt to exploit a vulnerability in Microsoft Windows detected
Description: There exists a buffer overflow vulnerability in the DNS client component of Microsoft Windows. The flaw is caused by the improper processing of crafted DNS messages. A remote attacker may leverage this vulnerability by sending crafted DNS responses to the affected service, resulting in the possible injection and execution of arbitrary code on the target system. Any injected code would be executed within the security context of the System user. In an attack case where code injection is not successful, the affected service will terminate abnormally. As the service is integral to the function of the operating system, the operating system will be shutdown. It is likely that the system will continue this behaviour after restarting, since it will attempt to use the DNS service to locate certain servers upon startup. In a more sophisticated attack where code injection results is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the SYSTEM account.
SituationDNS-UDP_Microsoft-Windows-DNS-Client-Buffer-Overrun-2
Comment: An attempt to exploit a vulnerability in Microsoft Windows detected
Description: There exists a buffer overflow vulnerability in the DNS client component of Microsoft Windows. The flaw is caused by the improper processing of crafted DNS messages. A remote attacker may leverage this vulnerability by sending crafted DNS responses to the affected service, resulting in the possible injection and execution of arbitrary code on the target system. Any injected code would be executed within the security context of the System user. In an attack case where code injection is not successful, the affected service will terminate abnormally. As the service is integral to the function of the operating system, the operating system will be shutdown. It is likely that the system will continue this behaviour after restarting, since it will attempt to use the DNS service to locate certain servers upon startup. In a more sophisticated attack where code injection results is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the SYSTEM account.
References:
CVE-2006-3441
BID-19404
OSVDB-27844
MS06-041
Back to top

MS06-040 MSRPC-Microsoft-Windows-Server-Service-Buffer-Overrun

About this vulnerability: Buffer overflow vulnerability in Microsoft Server service
Risk: Critical
First detected in: sgpkg-ips-75-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: Microsoft Server service has a buffer overflow vulnerability. By sending specially crafted packets to an affected system a remote attacker can cause a denial of service condition or take complete control of the system.
SituationMSRPC-TCP_CPS-Microsoft-Windows-Server-Service-Buffer-Overrun
Comment: Buffer overflow exploit against Microsoft Server Service
Description: Detects buffer overflow exploits against Microsoft Server service. A successful exploitation may lead to a DoS or a root/system level compromise.
SituationMSRPC-TCP_CPS-Vulnerable-Microsoft-Windows-Server-Service-Function-Called
Comment: Vulnerable Microsoft Windows Server service function called
Description: Detects calls to a vulnerable Microsoft Windows Server service function. The function call with a crafted parameter can be used to compromise a vulnerable system but the function is also used in normal traffic.
References:
CVE-2006-3439
BID-19409
MS06-040
Back to top

MS06-037 Microsoft-Excel-Malformed-Fngroupcount-Value-Code-Execution

About this vulnerability: A vulnerability in Microsoft Excel
Risk: Moderate
First detected in: sgpkg-ips-414-4219
Last changed: sgpkg-ips-518-5211
Platform: Generic
Software: Microsoft Excel; Microsoft Excel Viewer; Microsoft Office
Type: Malfunction
Description: There exists a code execution vulnerability in Microsoft Excel. The flaw is caused by an insufficient check of a malformed FNGROUPCOUNT Record in an Excel file. An attacker can exploit this vulnerability to inject and execute arbitrary code in the security context of the currently logged in user. In an attack case where code injection is not successful, the Microsoft Excel application will terminate. This can potentially lead to a loss of data. In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
SituationFile-OLE_Microsoft-Excel-Malformed-Fngroupcount-Value-Code-Execution
Comment: An attempt to exploit a vulnerability in Microsoft Excel detected
Description: There exists a code execution vulnerability in Microsoft Excel. The flaw is caused by an insufficient check of a malformed FNGROUPCOUNT Record in an Excel file. An attacker can exploit this vulnerability to inject and execute arbitrary code in the security context of the currently logged in user. In an attack case where code injection is not successful, the Microsoft Excel application will terminate. This can potentially lead to a loss of data. In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
References:
CVE-2006-1308
BID-18890
MS06-037
Back to top

MS06-037 Microsoft-Excel-Malformed-Selection-Record-Code-Execution

About this vulnerability: A vulnerability in Microsoft Excel
Risk: Moderate
First detected in: sgpkg-ips-416-4219
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Microsoft Excel; Microsoft Excel Viewer; Microsoft Office
Type: Malfunction
Description: There is a memory corruption vulnerability in Microsoft Excel. The flaw is caused by insufficient checks while parsing Selection Records in Excel files. A remote attacker can exploit this vulnerability by enticing the target user to open a crafted Excel file, causing arbitrary code to be injected and executed in the security context of the currently logged in user. In a successful attack, all instances of the vulnerable Microsoft Excel application terminate, or the application stops responding. This can potentially lead to a loss of data. In a more sophisticated attack, where code injection is successful, the behavior of the target is depends on the intended function of the injected code.
SituationFile-OLE_Microsoft-Excel-Malformed-Selection-Record-Code-Execution
Comment: An attempt to exploit a vulnerability in Microsoft Excel detected
Description: There exists a memory corruption vulnerability in Microsoft Excel. The flaw is caused by insufficient checks while parsing Selection Records in the Excel files. A remote attacker can exploit this vulnerability by enticing the target user to open a crafted excel file, causing arbitrary code to be injected and executed in the security context of the currently logged in user. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Excel application will terminate or the application will stop responding. This can potentially lead to a loss of data. In a more sophisticated attack, where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
References:
CVE-2006-1301
BID-18853
MS06-037
Back to top

MS06-036 Microsoft-Windows-DHCP-Client-Service-Buffer-Overflow

About this vulnerability: A vulnerability in Microsoft Windows
Risk: High
First detected in: sgpkg-ips-140-2032
Last changed: sgpkg-ips-518-5211
Platform: Windows 2000; Windows XP; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in the DHCP client component of Microsoft Windows. The flaw is caused by the improper processing of crafted DHCP response messages. A remote attacker may leverage this vulnerability by sending a crafted DHCP response to the affected service, resulting in the possible injection and execution of arbitrary code on the target system. Any injected code would be executed within the security context of the System user.
SituationGeneric_UDP-Microsoft-Windows-DHCP-Client-Service-Buffer-Overflow
Comment: Detected an attempt to exploit a vulnerability in Microsoft Windows' DHCP client
Description: An attempt to exploit a vulnerability in the DHCP client component of Microsoft Windows was detected.
References:
CVE-2006-2372
BID-18923
OSVDB-27151
MS06-036
Back to top

MS06-035 Microsoft-Windows-Mailslot-Heap-Overflow

About this vulnerability: Heap buffer overflow vulnerability in the Server driver of Microsoft Windows
Risk: Moderate
First detected in: sgpkg-ips-90-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows 2000; Windows XP; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: There is a heap-based buffer overflow vulnerability in the Server driver of Microsoft Windows. A successful exploit against this vulnerability leads to a denial of service or arbitrary code execution with the privileges of the System kernel.
SituationSMB-TCP_CHS-First-Class-Mailslot-Traffic-Detected
Comment: First-class Mailslot message detected
Description: First-class Mailslot traffic detected. The first-class Mailslot protocol is not officially supported by the vendor. Its usage can be considered suspicious and may indicate a possible attempt to exploit a heap-based buffer overflow vulnerability in the Server driver of Microsoft Windows.
References:
CVE-2006-1314
BID-18863
OSVDB-27154
MS06-035
Back to top

MS06-034 Microsoft-IIS-Server-Crafted-Asp-Page-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the handling of crafted ASP pages in IIS
Risk: Moderate
First detected in: sgpkg-ips-73-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: IIS
Type: Buffer Overflow
Description: There is a buffer overflow vulnerability in the handling of crafted ASP pages in IIS. A remote attacker can exploit this vulnerability by uploading a crafted ASP page containing an excessively long include file parameter to the target host and then requesting it, which can enable arbitrary code execution with the privileges of the vulnerable web server.
SituationHTTP_CS-Excessively-Long-Asp-Include-File-Argument
Comment: Detects an excessively long ASP include file argument
Description: Detects an excessively long ASP include file argument. When a malicious ASP file with a crafted file include directive is executed on the vulnerable web server, non-privileged code exceution may take place on the target host.
SituationFTP_UL-Excessively-Long-Asp-Include-File-Argument
Comment: Detects an excessively long ASP include file argument
Description: Detects an excessively long ASP include file argument. When a malicious ASP file with a crafted file include directive is executed on the vulnerable web server, non-privileged code exceution may take place on the target host.
SituationFile-Text_Excessively-Long-Asp-Include-File-Argument
Comment: Detects an excessively long ASP include file argument
Description: Detects an excessively long ASP include file argument. When a malicious ASP file with a crafted file include directive is executed on the vulnerable web server, non-privileged code exceution may take place on the target host.
References:
CVE-2006-0026
BID-18858
OSVDB-27152
MS06-034
Back to top

MS06-033 HTTP-Microsoft-ASP.NET-Application-Folder-Information-Disclosure

About this vulnerability: Information disclosure vulnerability in Microsoft .NET Framework
Risk: Moderate
First detected in: sgpkg-ips-73-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: Microsoft .NET Framework
Type: Malfunction
Description: There is an information disclosure vulnerability in Microsoft .NET Framework due to insufficient URL validition. A successful exploitation allows a remote attacker to gain unauthorized access to known files in the Application Code folder.
SituationHTTP_CSU-Microsoft-ASP.NET-Application-Folder-Information-Disclosure
Comment: Detects information disclosure exploits against Microsoft .NET Framework
Description: Detects information disclosure exploits against Microsoft .NET Framework.
References:
CVE-2006-1300
BID-18920
OSVDB-27153
MS06-033
Back to top

MS06-029 Microsoft-Exchange-Server-Outlook-Web-Access-Script-Injection

About this vulnerability: Script code injection vulnerability in Microsoft Exchange Server
Risk: Moderate
First detected in: sgpkg-ips-72-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Exchange Server
Type: Code Injection
Description: Microsoft Exchange Server has a script code injection vulnerability. The vulnerability can be exploited by sending a crafted email message to the target server and persuading a target user to open the message using Outlook Web Access. When the vulnerability is triggered it leads to arbitrary script code execution in the security context of the client's browser.
SituationE-Mail_BS-Microsoft-Exchange-Server-Outlook-Web-Access-Script-Injection
Comment: Detects script code injection exploits against Microsoft Exchange Server
Description: Detects script code injection exploits against Microsoft Exchange Server. A successful exploitation leads to arbitrary script code execution with the privileges of the client's browser when a malicious message is viewed via Outlook Web Access.
SituationFile-Text_Microsoft-Exchange-Server-Outlook-Web-Access-Script-Injection
Comment: Detects script code injection exploits against Microsoft Exchange Server
Description: Detects script code injection exploits against Microsoft Exchange Server. A successful exploitation leads to arbitrary script code execution with the privileges of the client's browser when a malicious message is viewed via Outlook Web Access.
References:
CVE-2006-1193
BID-18381
OSVDB-26441
MS06-029
Back to top

MS06-025 MSRPC-Microsoft-Windows-RRAS-Memory-Corruption

About this vulnerability: Buffer overflow vulnerability in Microsoft RRAS service
Risk: Critical
First detected in: sgpkg-ips-71-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: Microsoft Routing and Remote Access service has a buffer overflow vulnerability in the handling of the ServiceRequest function. A parameter passed to the function is copied into a 16-byte buffer without sufficient boundary checking allowing a malicious remote attacker to overrun the buffer and cause a DoS condition or execute arbitrary code with the privileges of the vulnerable service, normally SYSTEM.
SituationMSRPC-TCP_CPS-Microsoft-Windows-RRAS-Memory-Corruption
Comment: Detects buffer overflow exploits against Microsoft RRAS service
Description: This fingerprint detects buffer overflow exploits against Microsoft RRAS service. A successful exploitation may lead to a DoS or a root/system level compromise.
SituationMSRPC-TCP_CPS-Microsoft-Windows-RRAS-Memory-Corruption-2
Comment: Detects buffer overflow exploits against Microsoft RRAS service
Description: This fingerprint detects buffer overflow exploits against Microsoft RRAS service. A successful exploitation may lead to a DoS or a root/system level compromise.
References:
CVE-2006-2370
BID-18325
OSVDB-26437
MS06-025
Back to top

MS06-024 Microsoft-Windows-Media-Player-PNG-Image-Parsing-Buffer-Overflow

About this vulnerability: PNG image parsing buffer overflow in Microsoft Windows Media Player
Risk: High
First detected in: sgpkg-ips-69-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows 2000; Windows XP; Windows 2003
Software: Windows Media Player
Type: Buffer Overflow
Description: Microsoft Windows Media Player has a vulnerability in the processing of the ancillary chunks in PNG images. The program does not check the size of the chunk data before the data is copied into a fixed size buffer. A remote attacker is able to exploit this vulnerability to execute arbitrary code on the victim machine.
SituationHTTP_PNG-Image-With-Large-Data-Length-Value
Comment: PNG image with large data length value in image chunk
Description: Detects a PNG image with a large data length value in an image chunk. This is a possible buffer overflow attack.
SituationE-Mail_BS-PNG-Image-With-Large-Data-Length-Value
Comment: PNG image with large data length value in image chunk
Description: Detects a PNG image with a large data length value in an image chunk. This is a possible buffer overflow attack.
SituationFile-PNG_PNG-Image-With-Large-Data-Length-Value
Comment: PNG image with large data length value in image chunk
Description: Detects a PNG image with a large data length value in an image chunk. This is a possible buffer overflow attack.
References:
CVE-2006-0025
BID-18385
OSVDB-26430
MS06-024
Back to top

MS06-021 HTTP-Internet-Explorer-Com-Object-Instantiation-Memory-Corruption

About this vulnerability: Memory corruption vulnerability in Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-90-1314
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Malfunction
Description: There is a heap memory corruption vulnerability in Internet Explorer. By persuading a target user to visit a malicious web site, a remote attacker can cause a DoS or execute non-privileged arbitrary code on the target host.
SituationHTTP_Internet-Explorer-Com-Object-Instantiation-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. A successful exploit leads to a denial of service condition terminating the affected browser or arbitrary code execution with the privileges of the currently logged in user.
SituationFile-Text_Internet-Explorer-Com-Object-Instantiation-Memory-Corruption
Comment: Detects memory corruption exploits against Internet Explorer
Description: Detects memory corruption exploits against Internet Explorer. A successful exploit leads to a denial of service condition terminating the affected browser or arbitrary code execution with the privileges of the currently logged in user.
References:
CVE-2006-1303
BID-18328
OSVDB-26442
MS06-021
Back to top

MS06-021 HTTP-Internet-Explorer-Nested-Object-Tag-Memory-Corruption

About this vulnerability: Internet Explorer nested OBJECT tag handling vulnerability
Risk: High
First detected in: sgpkg-ips-65-1210
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer 5.0; Internet Explorer 5.5; Internet Explorer 6.0
Type: Malfunction
Description: Microsoft Internet Explorer has a vulnerability in the handling of nested OBJECT tags. 32 nested OBJECT elements which do not result in the creation of valid objects cause memory corruption, which may allow the execution of arbitrary code with the currently logged in user's privileges. Victims need to be tricked into viewing a malicious HTML page to exploit this vulnerability.
SituationHTTP_Internet-Explorer-Nested-Object-Tag-Memory-Corruption
Comment: Detects HTML pages with multiple nested OBJECT tags, possible Internet Explorer exploit
Description: Detects HTML pages containing 10 or more nested OBJECT tags. Certain versions of Internet Explorer do not handle such pages correctly, resulting in memory corruption when they are viewed. There exists a theoretical use for nested OBJECT tags, as browsers should parse and instantiate any OBJECT tags present inside an unrecognized OBJECT tag to provide a fallback mechanism. This feature is not widely used, but could generate false positives if the fallback chain is 10 objects deep.
SituationFile-Text_Internet-Explorer-Nested-Object-Tag-Memory-Corruption
Comment: Detects HTML pages with multiple nested OBJECT tags, possible Internet Explorer exploit
Description: Detects HTML pages containing 10 or more nested OBJECT tags. Certain versions of Internet Explorer do not handle such pages correctly, resulting in memory corruption when they are viewed. There exists a theoretical use for nested OBJECT tags, as browsers should parse and instantiate any OBJECT tags present inside an unrecognized OBJECT tag to provide a fallback mechanism. This feature is not widely used, but could generate false positives if the fallback chain is 10 objects deep.
References:
CVE-2006-1992
BID-17658
OSVDB-27475
MS06-021
Back to top

MS06-021 Microsoft-Internet-Explorer-Plugin-Loading-Address-Bar-Spoofing

About this vulnerability: A vulnerability in Microsoft Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-436-4219
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Malfunction
Description: There is an address bar spoofing vulnerability in the Microsoft Internet Explorer. The vulnerability is specific to improperly handling resources that require a plugin to be processed. This flaw can be used to spoof the address bar of the browser to mislead a user as to the origin of a resource. Upon exploitation, the affected client browser will render a resource from a specific domain while the address bar of the browser will display a different domain, not reflecting the true origin of the resource. No other inconsistent behaviour will be observed after exploitation.
SituationFile-Text_Microsoft-Internet-Explorer-Plugin-Loading-Address-Bar-Spoofing
Comment: An attempt to exploit a vulnerability in Microsoft Internet Explorer detected
Description: There is an address bar spoofing vulnerability in the Microsoft Internet Explorer. The vulnerability is specific to improperly handling resources that require a plugin to be processed. This flaw can be used to spoof the address bar of the browser to mislead a user as to the origin of a resource. Upon exploitation, the affected client browser will render a resource from a specific domain while the address bar of the browser will display a different domain, not reflecting the true origin of the resource. No other inconsistent behaviour will be observed after exploitation.
References:
CVE-2006-1626
BID-17404
MS06-021
Back to top

MS06-019 Microsoft-Exchange-Calendar-Code-Execution

About this vulnerability: Microsoft Exchange Calendar Code Execution
Risk: Moderate
First detected in: sgpkg-ips-86-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: Exchange Server 2000; Exchange Server 2003
Type: Buffer Overflow
Description: Microsoft Exchange Server 2000 and 2003 remote compromise via malformed calendar object.
SituationE-Mail_BS-Microsoft-Exchange-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
SituationIMAP_Microsoft-Exchange-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
SituationPOP3_CS-Microsoft-Exchange-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
SituationFile-TextId_Microsoft-Exchange-Calendar-Code-Execution
Comment: Detects Microsoft Exchange Server 2000 and 2003 Calendar exploit
Description: Detects exploit attempts against Microsoft Exchange Server 2000 and 2003 via the calendar object.
References:
CVE-2006-0027
BID-17908
OSVDB-25338
MS06-019
Back to top

MS06-018 Generic-MSDTC-BuildContextW-Denial-Of-Service

About this vulnerability: Denial of service vulnerability in Microsoft DTC BuildContextW method (MS06-018)
Risk: Moderate
First detected in: sgpkg-ips-66-1210
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: Microsoft Windows Distributed Transaction Coordinator (MSDTC) suffers from a denial of service vulnerability. Remote attackers can cause the MSDTC service to crash by binding to the MSDTC RPC service and sending a malicious request to the BuildContextW method. This vulnerability is similar to the one patched in MS05-051, but does not allow remote code execution.
SituationMSRPC-TCP_CPS-PnP-MSDTC-BuildContextW-Denial-Of-Service
Comment: Denial of service exploit against Microsoft MSDTC BuildContextW function
Description: Detects requests to MSDTC BuildContextW function that contain a large UuidString or GuidIn string. A successful attack allows remote attackers to cause a denial of service by crashing the vulnerable system.
SituationGeneric_MSDTC-BuildContextW-Denial-Of-Service
Comment: Detects denial of service attacks against Microsoft Distributed Transaction Coordinator
Description: This fingerprint detects denial of service attacks against Microsoft Distributed Transaction Coordinator. An RPC request to the BuildContextW method that contains input data with a size between 0x7D0 and 0x1000 bytes can crash the MSDTC service.
References:
CVE-2006-1184
BID-17905
OSVDB-25336
MS06-018
Back to top

MS06-017 HTTP-Microsoft-FrontPage-Server-Extensions-Cross-Site-Scripting

About this vulnerability: Cross site scripting vulnerability in Microsoft FrontPage Server Extensions
Risk: Moderate
First detected in: sgpkg-ips-64-1210
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: FrontPage Server Extensions
Type: Cross-site Scripting
Description: The dynamically linked library fpadmdll.dll in Microsoft FrontPage Server Extensions fails to validate the value given in the 'operation' parameter. A remote attacker is able to inject arbitrary HTML or script code into the value of the parameter and use that code to execute cross site scripting attacks in the browsers of other users.
SituationHTTP_CRL-Microsoft-FrontPage-Server-Extensions-Cross-Site-Scripting
Comment: Exploit against cross site scripting vulnerability in Microsoft FrontPage Server Extensions
Description: Detects exploit against cross site scripting vulnerability in Microsoft FrontPage Server Extensions.
References:
CVE-2006-0015
BID-17452
MS06-017
Back to top

MS06-014 RDS.Dataspace-ActiveX-Control-Remote-Code-Execution

About this vulnerability: There is a code execution vulnerability in RDS.Dataspace ActiveX Control
Risk: High
First detected in: sgpkg-ips-97-1314
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: Microsoft Data Access Components
Type: Malfunction
Description: There is a remote code execution vulnerability in RDS.Dataspace ActiveX control included in the Microsoft Data Access Components (MDAC).
SituationHTTP_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected.
SituationHTTP_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution-2
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected. This situation detects additional variations of the attack.
SituationHTTP_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution-3
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected.
SituationFile-Text_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected.
SituationFile-Text_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution-3
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected.
SituationFile-Text_RDS.Dataspace-ActiveX-Control-Remote-Code-Execution-2
Comment: RDS.Dataspace ActiveX Control detected
Description: An attempt to exploit code execution vulnerability in RDS.Dataspace ActiveX control was detected. This situation detects additional variations of the attack.
References:
CVE-2006-0003
BID-17462
OSVDB-24517
MS06-014
Back to top

MS06-013 HTTP-Internet-Explorer-CreateTextRange-Vulnerability

About this vulnerability: Internet Explorer createTextRange vulnerability
Risk: High
First detected in: sgpkg-ips-62-1210
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: Internet Explorer 5.0; Internet Explorer 5.5; Internet Explorer 6.0
Type: Malfunction
Description: Microsoft Internet Explorer has a vulnerability in the handling of the createTextRange method. According to documentation, the checkbox, image and radio buttons of an INPUT element do not have the createTextRange method. However, if the method is used by an HTML page, Internet Explorer erroneously attempts to call the method. This may allow arbitrary remote code execution with the current user's privileges via a specially crafted HTML page.
SituationHTTP_Internet-Explorer-CreateTextRange-Vulnerability
Comment: Detects Microsoft Internet Explorer createTextRange exploits
Description: Detects exploits against Microsoft Internet Explorer's createTextRange method. A successful attack allows arbitrary code execution with the privileges of the currently logged in user.
SituationHTTP_SS-Internet-Explorer-CreateTextRange-Vulnerability-3
Comment: Detected attempt to exploit Microsoft Internet Explorer createTextRange vulnerability
Description: Detects exploits against Microsoft Internet Explorer's createTextRange method. A successful attack allows arbitrary code execution with the privileges of the currently logged in user.
SituationHTTP_SS-Internet-Explorer-CreateTextRange-Vulnerability-2
Comment: Detected attempt to exploit Microsoft Internet Explorer createTextRange vulnerability
Description: Detects exploits against Microsoft Internet Explorer's createTextRange method. A successful attack allows arbitrary code execution with the privileges of the currently logged in user.
SituationFile-Text_Internet-Explorer-CreateTextRange-Vulnerability
Comment: Detects Microsoft Internet Explorer createTextRange exploits
Description: Detects exploits against Microsoft Internet Explorer's createTextRange method. A successful attack allows arbitrary code execution with the privileges of the currently logged in user.
SituationFile-Text_Internet-Explorer-CreateTextRange-Vulnerability-2
Comment: Detected attempt to exploit Microsoft Internet Explorer createTextRange vulnerability
Description: Detects exploits against Microsoft Internet Explorer's createTextRange method. A successful attack allows arbitrary code execution with the privileges of the currently logged in user.
SituationFile-Text_Internet-Explorer-CreateTextRange-Vulnerability-3
Comment: Detected attempt to exploit Microsoft Internet Explorer createTextRange vulnerability
Description: Detects exploits against Microsoft Internet Explorer's createTextRange method. A successful attack allows arbitrary code execution with the privileges of the currently logged in user.
References:
CVE-2006-1359
BID-17196
OSVDB-24050
MS06-013
Back to top

MS06-013 Microsoft-Internet-Explorer-HTML-Tag-Memory-Corruption

About this vulnerability: A vulnerability in Microsoft Internet Explorer
Risk: Moderate
First detected in: sgpkg-ips-436-4219
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Internet Explorer
Type: Malfunction
Description: A memory corruption vulnerability exists in Microsoft Internet Explorer. The vulnerability is caused due to the application's failure to properly handle certain HTML tags. A remote attacker may exploit this issue via a malicious web page to execute arbitrary code in the context of the currently logged in user. Since code injection resulting from leveraging this vulnerability has been found to be highly unlikely, generally an attack attempt will result in the termination of the affected process. In the event where successful code injection is a result of an attack attempt, the behaviour of the target system is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the currently logged-in user.
SituationFile-Text_Microsoft-Internet-Explorer-HTML-Tag-Memory-Corruption
Comment: An attempt to exploit a vulnerability in Microsoft Internet Explorer detected
Description: A memory corruption vulnerability exists in Microsoft Internet Explorer. The vulnerability is caused due to the application's failure to properly handle certain HTML tags. A remote attacker may exploit this issue via a malicious web page to execute arbitrary code in the context of the currently logged in user. Since code injection resulting from leveraging this vulnerability has been found to be highly unlikely, generally an attack attempt will result in the termination of the affected process. In the event where successful code injection is a result of an attack attempt, the behaviour of the target system is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the currently logged-in user.
References:
CVE-2006-1188
MS06-013
Back to top

MS06-012 Microsoft-Excel-Malformed-File-Format-Parsing-Code-Execution

About this vulnerability: A vulnerability in Microsoft Excel
Risk: Moderate
First detected in: sgpkg-ips-414-4219
Last changed: sgpkg-ips-518-5211
Platform: Generic
Software: Microsoft Excel; Microsoft Excel Viewer; Microsoft Office
Type: Malfunction
Description: There exists a code execution vulnerability in Microsoft Excel. The vulnerability is caused by improper processing of malformed BOOLERR records within Excel spreadsheet files. An attacker may exploit this vulnerability by enticing a user to open a crafted Excel file, which will enable the attacker to inject and execute arbitrary code within the security context of the target user. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Excel application will terminate. This can potentially lead to a loss of data. In a more sophisticated attack where code injection results is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
SituationFile-Binary_Microsoft-Excel-Malformed-File-Format-Parsing-Code-Execution
Comment: An attempt to exploit a vulnerability in Microsoft Excel detected
Description: There exists a code execution vulnerability in Microsoft Excel. The vulnerability is caused by improper processing of malformed BOOLERR records within Excel spreadsheet files. An attacker may exploit this vulnerability by enticing a user to open a crafted Excel file, which will enable the attacker to inject and execute arbitrary code within the security context of the target user. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Excel application will terminate. This can potentially lead to a loss of data. In a more sophisticated attack where code injection results is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
References:
CVE-2006-0028
OSVDB-23899
MS06-012
Back to top

MS06-012 Microsoft-Excel-Malformed-Record-Code-Execution

About this vulnerability: A vulnerability in Microsoft Excel
Risk: Moderate
First detected in: sgpkg-ips-414-4219
Last changed: sgpkg-ips-518-5211
Platform: Generic
Software: Microsoft Excel; Microsoft Excel Viewer; Microsoft Office
Type: Malfunction
Description: There exists a code execution vulnerability in Microsoft Excel. The vulnerability is caused by improper sanitization of an undocumented record in Excel spreadsheet files. An attacker may exploit this vulnerability by enticing a user to open a crafted Excel file, which will enable the attacker to inject and execute arbitrary code within the security context of the target user. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Excel application will terminate. This can potentially lead to a loss of data. In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
SituationFile-OLE_Microsoft-Excel-Malformed-Fngroupcount-Value-Code-Execution
Comment: An attempt to exploit a vulnerability in Microsoft Excel detected
Description: There exists a code execution vulnerability in Microsoft Excel. The flaw is caused by an insufficient check of a malformed FNGROUPCOUNT Record in an Excel file. An attacker can exploit this vulnerability to inject and execute arbitrary code in the security context of the currently logged in user. In an attack case where code injection is not successful, the Microsoft Excel application will terminate. This can potentially lead to a loss of data. In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
References:
CVE-2006-0031
BID-17101
OSVDB-23902
MS06-012
Back to top

MS06-012 Microsoft-Office-Malformed-Routing-Slip-Code-Execution

About this vulnerability: A vulnerability in Microsoft Word
Risk: Moderate
First detected in: sgpkg-ips-414-4219
Last changed: sgpkg-ips-518-5211
Platform: Generic
Software: Microsoft Word; Microsoft Excel; Microsoft Outlook; Microsoft PowerPoint; Microsoft Office
Type: Malfunction
Description: A vulnerability exists in Microsoft Office components when processing documents which include malformed Routing Slip records. This vulnerability may be exploited by supplying a malicious document to a vulnerable target host and enticing a user to open the file. An attacker may exploit this vulnerability to inject and execute arbitrary code into the vulnerable application process. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Office application will terminate. This can potentially lead to a loss of data. In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
SituationFile-OLE_Microsoft-Office-Malformed-Routing-Slip-Code-Execution
Comment: An attempt to exploit a vulnerability in Microsoft Word detected
Description: A vulnerability exists in Microsoft Office components when processing documents which include malformed Routing Slip records. This vulnerability may be exploited by supplying a malicious document to a vulnerable target host and enticing a user to open the file. An attacker may exploit this vulnerability to inject and execute arbitrary code into the vulnerable application process. In an attack case where code injection is not successful, all instances of the vulnerable Microsoft Office application will terminate. This can potentially lead to a loss of data. In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
References:
CVE-2006-0009
BID-17000
OSVDB-23903
MS06-012
Back to top

MS06-006 HTTP-Windows-Media-Player-Plugin-Embed-Src-Buffer-Overflow

About this vulnerability: Windows Media Player Plug-in long SRC in HTML embed tag buffer overflow (MS06-005
Risk: High
First detected in: sgpkg-ips-60-1210
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Windows Media Player
Type: Buffer Overflow
Description: Windows Media Player provides a plug-in to be used with web browsers for viewing content that Media Player can display. Resources requiring plug-ins can be embedded into HTML pages via a "embed" HTML tag. The Windows Media Players plug-in suffers from a vulnerability where a long SRC value in an embed tag will cause a buffer overflow and allow arbitrary code execution.
SituationHTTP_Windows-Media-Player-Plugin-Embed-Src-Buffer-Overflow
Comment: Exploit against Windows Media Player via a long SRC field in a HTML embed tag (MS06-006)
Description: Detects HTML embed tags containing an SRC field of over 1000 bytes. Such embed tags can overflow a buffer in Windows Media Player browser plug-in, allowing remote attackers to execute arbitrary code on vulnerable systems viewing a malicious HTML page.
SituationFile-Text_Windows-Media-Player-Plugin-Embed-Src-Buffer-Overflow
Comment: Exploit against Windows Media Player via a long SRC field in a HTML embed tag (MS06-006)
Description: Detects HTML embed tags containing an SRC field of over 1000 bytes. Such embed tags can overflow a buffer in Windows Media Player browser plug-in, allowing remote attackers to execute arbitrary code on vulnerable systems viewing a malicious HTML page.
References:
CVE-2006-0005
BID-16644
MS06-006
Back to top

MS06-005 BMP-Windows-Media-Player-BMP-Header-Dataoffset-Buffer-Overflow

About this vulnerability: BMP header parsing vulnerability in Windows Media Player (MS06-005)
Risk: High
First detected in: sgpkg-ips-59-1210
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: Windows Media Player
Type: Buffer Overflow
Description: Windows Media Player does not parse BMP files correctly. A BMP header with a DataOffset value lower than 0x0e will cause an integer underflow and a buffer overflow, allowing arbitrary code execution.
SituationHTTP_Windows-Media-Player-BMP-Header-Dataoffset-Buffer-Overflow
Comment: Exploit against Windows Media Player via malformed BMP header (MS06-005)
Description: This fingerprint detects exploits against a buffer overflow vulnerability in Windows Media Player's BMP handling functionality.
SituationE-Mail_BS-Windows-Media-Player-BMP-Header-Dataoffset-Buffer-Overflow
Comment: Exploit against Windows Media Player via malformed BMP header (MS06-005)
Description: This fingerprint detects exploits against a buffer overflow vulnerability in Windows Media Player's BMP handling functionality.
SituationFile-Binary_Windows-Media-Player-BMP-Header-Dataoffset-Buffer-Overflow
Comment: Exploit against Windows Media Player via malformed BMP header (MS06-005)
Description: This fingerprint detects exploits against a buffer overflow vulnerability in Windows Media Player's BMP handling functionality.
References:
CVE-2006-0006
BID-16633
MS06-005
Back to top

MS06-004 WMF-Microsoft-Windows-WMF-Header-Filesize-Buffer-Overflow

About this vulnerability: WMF header parsing vulnerability in Microsoft Windows
Risk: High
First detected in: sgpkg-ips-61-1210
Last changed: sgpkg-ips-518-5211
Platform: Windows 2000; Windows ME
Software: <os>
Type: Buffer Overflow
Description: Certain versions of Microsoft Windows contain a component that does not parse placeable WMF images correctly. A placeable WMF image with the FileSize value in the header set in the range 0x00000000-0x00000008 or 0x80000000-0x80000008 triggers an integer underflow, which later leads to a buffer overflow. Arbitrary remote code execution is possible via a successfull exploit. Internet Explorer uses the vulnerable component to parse WMF images, which allows malicious web pages to easily exploit visitors using the browser.
SituationHTTP_WMF-Microsoft-Windows-WMF-Header-Filesize-Buffer-Overflow
Comment: Detects malformed placeable WMF images with an illegal FileSize value in header (MS06-004)
Description: Detects placeable WMF images with the header's FileSize value set to 0x00000000-0x00000008 or 0x80000000-0x80000008. These are possible buffer overflow exploits against a parsing vulnerability in Windows mshtml.dll (MS06-004).
SituationFile-Binary_WMF-Microsoft-Windows-WMF-Header-Filesize-Buffer-Overflow
Comment: Detects malformed placeable WMF images with an illegal FileSize value in header (MS06-004)
Description: Detects placeable WMF images with the header's FileSize value set to 0x00000000-0x00000008 or 0x80000000-0x80000008. These are possible buffer overflow exploits against a parsing vulnerability in Windows mshtml.dll (MS06-004).
References:
CVE-2006-0020
BID-16516
OSVDB-22976
MS06-004
Back to top

MS06-003 Microsoft-Exchange-And-Outlook-TNEF-Decoding-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the TNEF decoding in Microsoft Exchange and Outlook
Risk: High
First detected in: sgpkg-ips-54-1210
Last changed: sgpkg-ips-518-5211
Platform: Windows
Software: Exchange Server 5.0; Exchange Server 5.5; Exchange Server 2000; Microsoft Outlook
Type: Buffer Overflow
Description: Microsoft Exchange Server and Microsoft Outlook have a buffer overflow vulnerability in the handling of TNEF encoded messages. When a TNEF object record with a large size value is processed by these products, an integer overflow can occur. A remote attacker is able to exploit this vulnerability via a specially crafted email to execute arbitrary code on the victim machine.
SituationE-Mail_HCS-Microsoft-Exchange-And-Outlook-TNEF-Encoding
Comment: Detects usage of TNEF encoding in SMTP
Description: Detects if TNEF (Transport Neutral Encapsulation Format) encoding is used in SMTP.
SituationE-Mail_BS-Microsoft-Exchange-And-Outlook-TNEF-Decoding-Buffer-Overflow
Comment: Buffer overflow exploit against Microsoft Exchange and Outlook TNEF decoding vulnerability
Description: Detects buffer overflow exploit against Microsoft Exchange and Outlook TNEF decoding vulnerability.
SituationFile-Binary_Microsoft-Exchange-And-Outlook-TNEF-Decoding-Buffer-Overflow
Comment: Buffer overflow exploit against Microsoft Exchange and Outlook TNEF decoding vulnerability
Description: Detects buffer overflow exploit against Microsoft Exchange and Outlook TNEF decoding vulnerability.
References:
CVE-2006-0002
BID-16197
MS06-003
Back to top

MS06-002 Microsoft-Embedded-Web-Font-Buffer-Overflow

About this vulnerability: Buffer overflow vulnerability in the Microsoft Windows embedded web font handling
Risk: High
First detected in: sgpkg-ips-54-1210
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: <os>
Type: Buffer Overflow
Description: A buffer overflow vulnerability exists in the Microsoft Windows embedded web font handling component. The data of the embedded font is defined in an EOT (Embedded Open Type) file. A remote attacker is able to create a malicious EOT file which is refered to by an HTML document. If the user views the document then the malicious EOT file is downloaded and processed on the victim host. This allows the attacker to execute arbitrary code on the victim machine.
SituationHTTP_Microsoft-Embedded-Font-EOT-File-Reference
Comment: Reference to EOT file in embedded font definition
Description: Detects reference to EOT (Embedded Open Type) file in embedded font definition in HTML document.
SituationE-Mail_BS-Microsoft-Embedded-Font-EOT-File-Reference
Comment: Reference to EOT file in embedded font definition
Description: Detects reference to EOT (Embedded Open Type) file in embedded font definition.
SituationFile-Text_Microsoft-Embedded-Font-EOT-File-Reference
Comment: Reference to EOT file in embedded font definition
Description: Detects reference to EOT (Embedded Open Type) file in embedded font definition in HTML document.
References:
CVE-2006-0010
BID-16194
OSVDB-18829
MS06-002
Back to top

MS06-001 WMF-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution

About this vulnerability: Windows Graphics Render Engine arbitrary code execution vulnerability
Risk: Critical
First detected in: sgpkg-ips-50-1210
Last changed: sgpkg-ips-545-5211
Platform: Windows
Software: <os>
Type: Malfunction
Description: Microsoft Windows Graphics Render Engine has an buffer overflow vulnerability in the code rendering WMF (Windows Metafile Format) images. The vulnerability allows arbitrary code execution when a malicious WMF file is opened with the vulnerable Windows component.
SituationHTTP_WMF-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious WMF files being downloaded from HTTP servers
Description: This fingerprint detects malicious WMF files being downloaded from HTTP servers. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components. WMF files viewed with Internet Explorer are by default opened in Windows Picture and Fax Viewer, which uses the vulnerable component. This allows remote attackers to easily execute arbitrary code on victim systems by tricking them into viewing a crafted WMF image with Internet Explorer.
SituationHTTP_WMF-Metasploit-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious Metasploit-made WMF files being downloaded from HTTP servers
Description: This fingerprint detects malicious Metasploit-made WMF files being downloaded from HTTP servers. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components. WMF files viewed with Internet Explorer are by default opened in Windows Picture and Fax Viewer, which uses the vulnerable component. This allows remote attackers to easily execute arbitrary code on victim systems by tricking them into viewing a crafted WMF image with Internet Explorer.
SituationE-Mail_BS-WMF-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious WMF files
Description: This fingerprint detects malicious WMF files transferred via SMTP. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components.
SituationE-Mail_BS-WMF-Metasploit-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious Metasploit-made WMF files
Description: This fingerprint detects malicious Metasploit-made WMF files transferred via SMTP. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components.
SituationFTP_DL-WMF-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious WMF files
Description: This fingerprint detects malicious WMF files transferred via FTP. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components.
SituationFTP_DL-WMF-Metasploit-Windows-Graphics-Render-Engine-Arbitrary-Code-Execution
Comment: Detects malicious Metasploit-made WMF files
Description: This fingerprint detects malicious Metasploit-made WMF files transferred via FTP. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components.
SituationFile-Binary_Microsoft-Windows-WMF-Graphics-Render-Engine-Code-Execution-2
Comment: Detects malicious Metasploit-made WMF files being downloaded from HTTP servers
Description: This fingerprint detects malicious Metasploit-made WMF files being downloaded from HTTP servers. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components. WMF files viewed with Internet Explorer are by default opened in Windows Picture and Fax Viewer, which uses the vulnerable component. This allows remote attackers to easily execute arbitrary code on victim systems by tricking them into viewing a crafted WMF image with Internet Explorer.
SituationFile-Binary_Microsoft-Windows-WMF-Graphics-Render-Engine-Code-Execution
Comment: Detects malicious WMF files being downloaded from HTTP servers
Description: This fingerprint detects malicious WMF files being downloaded from HTTP servers. Certain versions of Microsoft Windows allow arbitrary code execution when a malicious WMF file is viewed with an application using the vulnerable Windows components. WMF files viewed with Internet Explorer are by default opened in Windows Picture and Fax Viewer, which uses the vulnerable component. This allows remote attackers to easily execute arbitrary code on victim systems by tricking them into viewing a crafted WMF image with Internet Explorer.
References:
CVE-2005-4560
BID-16074
MS06-001
Back to top

MS06-064 Windows_Xp_2003_Land_Attack_DoS

About this vulnerability: Windows XP and 2003 land attack Denial of Service
Risk: Low
First detected in: sgpkg-ips-253-3038
Last changed: sgpkg-ips-545-5211
Platform: Windows XP SP2; Windows 2003
Software: <os>
Type: Buffer Overflow
Description: Windows XP SP2 and Windows 2003 suffer from a denial of service vulnerability when receiving spoofed SYN packets from their own address.
SituationDOS_LAND
Comment: Targa2 DoS: land attack
Description: Detected a Denial-of-Service attack from Targa2 attack set. Land attack send TCP SYN with source IP address set to the same address than target IP address. Because source IP address is spoofed to be the same as destination IP address, it is typically not possible to identify source of the attack from the log event. Note: This situation is made from invalid packet, so all other matching constraints than the situation id is ignored. Also please note that this situation must be correlated in the log server context. Risk analysis: Risk level is medium.
References:
CVE-2005-0688
MS06-064
MS05-019
Back to top