TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

271

272

273

274

275

276

277

278

279

280

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

273

Signature Description: Some SMTP servers do not complain when issued the command : MAIL FROM: |testing . This

probably means that it is possible to send mail that will be bounced to a program, which is a serious threat, since this

allows anyone to execute arbitrary command on this host. This security hole might be a false positive, since some

MTAs will not complain to this test, but instead just drop the message silently. This rule will triggers when an attempt

is made to send / symbol in SMTP from header.

Signature ID: 2006

Sendmail DEBUG attack vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0095

Bugtraq: 1 Nessus: 10247

Signature Description: Sendmail is a Mail Transfer Agent, which is the program that moves mail from one machine to

another. Sendmail implements a general internetwork mail routing facility, featuring aliasing and forwarding, automatic

routing to network gateways, and flexible configuration. Sendmail 5.58 is vulnerable to a gain access. A successful

exploitation of this attack will allow an attacker to gain access to a system information. This rule will trigger when an

attempt is made to send debug pattern to smtp service. This issue is fixed in Sendmail 5.59 version. Administrators are

advice to upgrade Sendmail 5.59 version or later version.

Signature ID: 2007

Spam mail attempt

Threat Level: Warning

Signature Description: This rule triggers when a mail comes with <> (NULL) in MAIL FROM command of the mail

header. In most of the cases this could be a spam mail. But according to the RFC 821, NULL is absolutely allowed in

MAIL FROM command and it helps in preventing loops in error reporting (notification messages) between SMTP

servers.So this rule is a false positive if the mail is a notification message. Administrators are advised to monitor this

log for spam activity.

Signature ID: 2008

EXPN command buffer overflow vulnerability

Threat Level: Warning

Industry ID: CVE-2001-0280 Bugtraq: 2412,223 Nessus: 10620

Signature Description: Simple Mail Transfer Protocol is a TCP/IP protocol used in sending and receiving e-mail. A

remotely exploitable buffer-overflow vulnerability affects SMTP server. The problem lies in the code that handles the

'expn' command. A successful exploitation of this attack will allow an attacker to execute arbitrary code on the

vulnerable system. This rule will triggers when attacker sending an overly long argument to the 'expn' command.

Seattle Lab Software SLMail 3.0.2421 is vulnerable to a this kind of vulnerability.

Signature ID: 2009

Sendmail 'decode' flaw

Threat Level: Warning

Industry ID: CVE-1999-0096

Nessus: 10248

Signature Description: Some remote SMTP server pipe mail sent to the 'decode' alias to a program. There have been in

the past a lot of security problems regarding this, as it would allow crackers to overwrite arbitrary files on the remote

server. We suggest you deactivate this alias.

Signature ID: 2010

MS Exchange server SMTP DoS

Threat Level: Information

Industry ID: CVE-2002-0055 Bugtraq: 4204 Nessus: 10885

Signature Description: The Simple Mail Transfer Protocol (SMTP) service in Microsoft Windows and Exchange is