TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

381

382

383

384

385

386

387

388

389

390

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

381

Signature Description: FTP Servers are vulnerable to buffer overflow attacks.The flaw is due to a lack of bounds

checking on user-supplied data supplied to the FTP service.This vulnerability may allow an attacker to crash

applications ,or potentially allow code execution.The Maximum size allowed is 512 characters.

Signature ID: 6100

Telnet IAC character in FTP command line

Threat Level: Information

Signature Description: This rule triggers an info event if Telenet IAC character ie.. 'ff' (255) is found on the FTP

command line. The telnet protocol specifies various commands that control the method and various details of the

interaction between the FTP client and the server. The telenet commands are prefixed with IAC character for

identification purpose and many of the FTP servers interpret the telenet commands present in the FTP command line.

An attacker may telnet to port 21 and send non-text telnet opcodes in FTP command line stream as part of an exploit

specific evasion technique.This rule implemented as a protocol anamoly removes these characters for its analysis to

avoid exploit specific evasion.The packet is not disturbed.

Signature ID: 6101

FTP ADMw0rm ftp login

Threat Level: Critical

Industry ID: CVE-1999-0660 Nessus:

10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: This worm 'ADMw0rm' exploits a vulnerability in BIND version 4.9.6 and is linux

specific.This rule generates a critical event when an FTP login by user "w0rm" is attempted. This is an account used by

the ADMw0rm worm.Default installations of RedHat 4.0 to 5.2 are vulnerable.Solution is to upgrade to the latest

version.<br>

Signature ID: 6102

FTP ALLO command buffer overflow Vulnerability

Threat Level: Critical

Industry ID: CVE-2004-1883 Bugtraq: 9953 Nessus: 14598

Signature Description: Some of the FTP servers are prone to buffer overruns when handling data supplied to the ALLO

FTP command. An FTP user who supplies excessive input to this command could potentially execute arbitrary code in

the context of the server or cause a denial of service.The issue exists due to lack of sufficient boundary checks

performed on user-supplied data.

Signature ID: 6103

FTP APPE command buffer overflow Vulnerability

Threat Level: Critical

Industry ID: CVE-2003-0466

CVE-2000-0133 CVE-2003-0772 Bugtraq: 8315,8542 Nessus: 12413,11811

Signature Description: Some of the FTP servers are prone to buffer overruns when handling data supplied to the APPE

FTP command. An FTP user who supplies excessive input to this command could potentially execute arbitrary code in

the context of the server or cause a denial of service.The issue exists due to lack of sufficient boundary checks

performed on user-supplied data.

Signature ID: 6104

FTP CMD command Buffer overflow Vulnerability

Threat Level: Warning

Signature Description: Many of the FTP Servers are prone to the remote buffer overflow vulnerability which is due to

the lack of sufficient boundary checks performed on user-supplied data.By using the "CMD" command, which allows

the remote execution of programs, attackers can send a long string and crash the server and or machine. The attacker