TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

371

372

373

374

375

376

377

378

379

380

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

375

Signature Description: ProFTPd versions prior to and including 1.2pre1, as well as wuftpd versions up to

2.4.2academ[BETA-18] and 2.4.2 beta 18 vr9 are vulnerable to a buffer overflow that could result in remote root

access. It is possible to make the remote FTP server crash by issuing this command : NLST

aaaXXXX%u%[...]%u%u%u%%u%653300u%n where XXXX have ascii values 0xDC, 0x4F, 0x07 and 0x08. It may

also allow the remote user to gain root easily.Some more vulnearabilities are also reported on ProFTPd pre6. Solution:

If proftpd is being used, upgrade to proftpd 1.2.0pre7.

Signature ID: 6034

Vermillion VFTPd CWD command DoS Vulnerability

Threat Level: Information

Industry ID: CVE-1999-1058

Bugtraq: 818 Nessus: 10293

Signature Description: Vermillion VFTPD 1.23 is a Windows based FTP daemon.The VFTPD 1.23 daemon crashes

upon receiving three consecutive CWD commands with arguments of 504 characters or longer.This Vulnerability

allows unauthorized disclosure of information , allows unauthorized modification and allows disruption of service.

Solution is to upgrade to VFTPD software version 1.30 or above.

Signature ID: 6035

WFTPD 2.41 MLST command DoS Vulnerability

Threat Level: Critical

Industry ID: CVE-2000-0647 CVE-2000-0644 Bugtraq: 1506 Nessus: 10487

Signature Description: WFTPD and WFTPD Pro 2.41 allows remote attackers to cause a denial of service by executing

an MLST command before logging into the server. An attacker may use this flaw to prevent from publishing anything

using FTP.Solution is to upgrade to the latest version of the software.

Signature ID: 6036

WFTPD RNTO Denial of Service Vulnerability

Threat Level: Severe

Industry ID: CVE-2000-0648 Bugtraq: 1456 Nessus: 10466

Signature Description: FTP server softwares WFTPD and WFTPD Pro 2.41 allow local users to cause a denial of

service by executing the RNTO command before a RNFR command, which will cause the server service to stop

responding. The rule 6158 sets a flag whenever it receives the command RNFR.This rule 6036 upon receiving RNTO

command checks this flag to confirm whether an RNFR command is received prior to this.If not it triggers an alarm.

Solution: upgrade wftp version to version 2.41 RC11 if wftp is used.Else contact the vendor for a fix.

Signature ID: 6037

Wu-ftpd SITE EXEC or INDEX vulnerability

Threat Level: Critical

Industry ID: CVE-1999-0997

CVE-2000-0573 Bugtraq: 1387,2240 Nessus: 10452

Signature Description: Washington University's WU-FTPD is an FTP daemon for Unix-based operating systems. WU-

FTPD versions 2.6.0 and earlier could allow an attacker to execute arbitrary commands on the system as root over a

local, remote, or anonymous FTP session. Due to insufficient input validation, an attacker can send a specially-crafted

string to the SITE EXEC command to overwrite data on the stack, such as the return address. By including executable

code in the string, the attacker could execute this code on the server as root.<br>It should be noted that the SITE

INDEX command is affected as well.Solution is to upgrade to the latest version of WU-FTPD (2.6.1 or later), available

from the WU-FTPD Development Group Web site.