TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
360
Signature ID: 4061
Oracle9iAS Web Cache Buffer Overflow
Threat Level: Warning
Industry ID: CVE-2001-0836 CVE-2002-0102 Bugtraq: 3443,3449,3760 Nessus: 11069
Signature Description: A buffer overflow condition can be triggered in Oracle 9iAS Web Cache 2.0.0.1 to 2.0.0.2 NT
(inclusive) by submitting a malicious URL. Unsuccessful overflow attempts can cause the Web Cache process to exit
or hang causing a denial of service condition. A successful attempt can allow arbitrary code execution on the server.
This signature detects Overflow attempts on TCP ports 4000-4002.
Signature ID: 4067
Rshd NULL user name login vulnerability
Threat Level: Warning
Industry ID: CVE-1999-0180 Nessus: 10096
Signature Description: The remote shell daemon is a server for remote shell (rsh) clients that listens on TCP port 514.
'in.rshd' is a popular remote shell daemon, flavors of which are distributed by multiple vendors. 'in.rshd' allows users to
execute arbitrary commands by supplying a NULL user name during login. This is due to a failed check in ruserok()
library call.
Signature ID: 4068
Sun rlogind FTP bounce vulnerability
Threat Level: Warning
Industry ID: CVE-1999-0185 Bugtraq: 0240
Signature Description: SunOS is a version of the Unix operating system developed by Sun Microsystems for their
workstation and server computer systems. Solaris is a Unix-based operating system introduced by Sun Microsystems as
the successor to SunOS. In Sun SunOS 4.1.3 to 4.1.4 (inclusive) and Sun Solaris 2.3 to 2.5.1(inclusive), a remote user
can execute arbitrary commands due to a vulnerability in rlogin server. This issue is known as FTP bounce
vulnerability as it uses the FTP Bounce attack as it's foundation. If a vulnerable rlogin server is configured to trust an
FTP server, a malicious remote user can connect from the FTP server's data port to the rlogin server and execute
arbitrary commands.
Signature ID: 4069
Defrsh brute force attack
Threat Level: Warning
Signature Description: Defrsh is a brute force attack tool. If the system doing the scan is trusted and this trust extends
to other machines, an attacker can compromise security of the network. Softwares that scan some Unix systems may
cause them to halt if the 'shutdown/shutdown' or 'halt/halt' 'accounts/password' pairs of username/password exist on the
Unix systems. This signature detects activity on DP 514.
Signature ID: 4076
RipAppend routed trace file vulnerability
Threat Level: Warning
Signature Description: Routed is a daemon used to dynamically update network routing tables. Certain operating
systems contain a routed version which allows an attacker to append certain logging data to arbitrary files on the host
machine with root privileges. BSD 4.4 based routed has the ability for a packet to be sent to the daemon that will turn
on debug mode. The RIP packet is able to specify the file which is later opened without any checks being placed on
that file open. The result is that an attacker can append to any file on the filesystem. Attackers can construct packets
(typically with spoofed source addresses) to turn on this feature and cause routed to append debugging information to
the specified trace file. Although the information thus written is limited to the normal routed debugging output, the files