TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
398
Signature ID: 9013
AOL Instant Messenger 'goaway' Message Stack overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-0636 Bugtraq: 10889
Signature Description: AOL Instant Messenger (AIM) is an instant messaging system distributed by AOL Time
Warner. A remotely exploitable stack based overflow vulnerability exists in AIM which allow attackers to execute
arbitrary code. The URI scheme aim: is handled by AIM if it is installed. The AIM goaway message will be used for
the auto-response reply in a popup window when the AIM client sets its online status to "Away". By passing a very
large string to the 'goaway' function of the AOL Instant Messenger 'aim:' URI handler buffer can be overflown. A
remote attacker can exploit this vulnerability by constructing a web page or e-mail which contains the malicious link
and enticing the user to click on the link. Successful exploitation allows execution of arbitrary code with user
privileges. Vulnerable platform is AOL Instant Messenger 5.5.
Signature ID: 9014
Computer Associates BrightStor ARCserve/Enterprise Discovery Service SERVICEPC Remote
Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-2535 Bugtraq: 12536
Signature Description: ARCserve Backup is a cross-platform backup and recovery solution from Computer Associates.
The Discovery Service module allows the ARCserve management console to identify compatible hosts. By default
Discovery Service listens on TCP/UDP ports 41523. The ARCserve Backup Discovery Service is vulnerable to a buffer
overflow while checking the incoming network traffic on TCP port 41523. By sending a specially-crafted request to
TCP port 41523, a remote attacker could overflow a buffer and execute arbitrary code on the system. Administrators
are advised to close the port 41523 for untrusted clients.
Signature ID: 9028
Computer Associates BrightStor ARCserve/Enterprise Backup UDP Probe Remote Buffer
Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-0260 Bugtraq: 12491
Signature Description: Computer Associates BrightStor ARCserve Backup is a cross-platform backup and recovery
application. The BrightStor software will automatically detect other BrightStor (ARCserve) servers on the local
network by broadcasting UDP probe messages on UDP port 41524. The recvfrom() call in the discovery module of the
ARCServe software accepts the probe message before copying it into a temporary buffer. The service accepts up to
4096 bytes, however the buffer it is copied to is slightly less than 1000 bytes which causes a stack overflow. A remote
attacker can broadcast a crafted UDP probe message to the vulnerable servers that are listening on a network.
Successful exploitation results in execution of arbitrary code with system privileges.
Signature ID: 9029
Knox Arkeia Network Backup Client Type 77 Request Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-0491
Bugtraq: 12594
Signature Description: Knox Arkeia Network Backup Client is an application designed to provide data protection for
Microsoft Windows and Unix-based operating systems. A stack based buffer overflow vulnerability exists in the binary
arkeiad.exe of the Arkeia Network Backup Client versions 5.3.4 and prior. The issue occurs due to insufficient bounds
checking performed when handling data contained within a type 77 request packet. A remote attacker can exploit this
vulnerability by constructing a specially crafted Type 77 (0x4D) request packet with length field setting to more than
24 bytes and sending it to TCP port 617. Successful exploitation results in execution of arbitrary code with root or
LocalSystem privileges. Adminsitrators are advised to update the software.