TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
284
Signature ID: 2204
Microsoft SSL PCT buffer overflow attempt
Threat Level: Critical
Industry ID: CVE-2003-0719 Bugtraq: 10116 Nessus: 12209
Signature Description: A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol,
which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some
cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability
could take complete control of an affected system.All programs that use SSL could be affected. Although SSL is
generally associated with Internet Information Services by using HTTPS and port 443, any service that implements
SSL on an affected platform is likely to be vulnerable. Here the signature looks for SSL PCT associated with SMTP
(port 465). This includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet
Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft
Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server
2000), and any third-party programs that use PCT (MS04-011).
Signature ID: 2205
SMTP Content-Transfer-Encoding overflow Vulnerability
Threat Level: Severe
Signature Description: This rule tries to find a buffer overflow associated with Content-Transfer-Encoding field in
MIME header for SMTP. Normally since the name of encoding technique appears in that field name, this field won't be
more than few characters and character sequence \r\n (0d 0a) is used to specify end of the field. But if no \r\n sequence
is appeared in this field say upto 100 charcters, then definitely it is an indication for buffer overflow attack.
Signature ID: 2206
SMTP ETRN overflow attempt
Threat Level: Critical
Industry ID: CVE-2000-0490 Bugtraq: 1297
Signature Description: A buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote
attackers to execute arbitrary commands via a long ETRN request.NetWin DMail 2.8a-h and prior,NetWin DMail 2.7q
and prior are vulnerable to this attack. Successful attacker can crash the mail server or he can execute arbitrary code
with root access.
Signature ID: 2207
Sendmail Header Processing Buffer Overflow Vulnerability
Threat Level: Critical
Industry ID: CVE-2002-1337 Bugtraq: 6991
Signature Description: Sendmail is a Mail Transfer Agent, which is the program that moves mail from one machine to
another. Sendmail implements a general internetwork mail routing facility, featuring aliasing and forwarding, automatic
routing to network gateways, and flexible configuration. Sendmail, version 5.79 to 8.12.7, is a buffer overflow
vulnerability. This rule will trigger when an attacker sending an email with specially-crafted "From", "To", or "CC"
header field, a remote attacker could bypass the "skipping" mode email header check and overflow a buffer to gain root
access to the affected system. This issue is fixed in Sendmail 8.12.8. Administrators are advice to update 8.12.8 version
to resolve this issue.
Signature ID: 2208
SMTP MAIL FROM sendmail prescan too long addresses overflow
Threat Level: Critical
Industry ID: CVE-2003-0161