TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
423
Signature ID: 10239
HP OpenView Radia Notify Daemon Long File Extension Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1826
Bugtraq: 13835
Signature Description: HP OpenView Radia is a desktop management software designed for Windows and Unix based
Operating systems. Radia Notify Daemon (radexecd) in Radia software is a server which listens for commands on TCP
port 3465 and executes them on behalf of administrator or other Radia process. The Notify Daemon is vulnerable to a
remote buffer overflow vulnerability while copying the received command to a local buffer. radexecd accepts requests
of the form <callback port>\0<username>\0<password>\0<command>\0 (where \0 is a NULL delimiter/terminator). By
sending a specially-crafted command that takes a file name as parameter with long file extension to the RADEXECD
component, a remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the
RADEXECD process. Administrators are advised to close the port 3465 for untrusted users.
Signature ID: 10240
MySQL User Defined Function Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-2558 Bugtraq: 14509
Signature Description: MySQL is a multithreaded, multi-user, SQL Database Management System. User-defined
functions in MySQL allow a user in the database to call binary libraries on the operating system. MySQL versions
4.0.25, 4.1.13, and 5.0.7-beta are vulnerable to a stack-based buffer overflow caused by a vulnerability in the
init_syms() function. A database user with sufficient access to create a user-defined function can exploit this issue.
User Defined Functions can be declared using the CREATE FUNCTION command. By specifying a function name
which exceeds 50 bytes and instructing to load a C/C++ library control can be passed to init_syms() function which
tries to copy the function name to a fixed size buffer causing a buffer overrun. A remote authenticated attacker with
privileges to create user-defined functions could overflow a buffer and cause MySQL to crash or possibly execute
arbitrary code.
Signature ID: 10241
VERITAS Backup Exec Agent Access with Hardcoded Authentication Credentials
Threat Level: Severe
Industry ID: CVE-2005-2611
Bugtraq: 14551 Nessus: 19427
Signature Description: VERITAS Backup Exec is a backup and recovery software solution for Microsoft Windows and
Unix-based operating systems. The VERITAS Backup Exec Remote Agent uses a hard-coded, encrypted root
password. An attacker with knowledge of this password and access to the Remote Agent may be able to retrieve
arbitrary files from a vulnerable system. A remote attacker can exploit this vulnerability to download arbitrary files,
aiding them in further attack. Administrators are advised to close the port 10000 for untrusted users.
Signature ID: 10242
Computer Associates Message Queuing (CAM/CAFT) Software log_security() Buffer Overflow
Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-2668
Bugtraq: 14622
Signature Description: Computer Associates Message Queuing (CAM/CAFT) software is shared by multiple CA
products. It provides messaging services between the CA products to communicate by making use of "store and
forward" mechanism. CA Message Queuing Server is vulnerable to a remotely exploitable stack based buffer overflow.
The flaw is specifically exists in log_security() function of the CA Message Queuing Server (cam.exe). The subroutine
fails to check for boundaries of the received buffer size against the allocated stack size. By sending a specially-crafted
request to cam.exe which listens on TCP port 4105 a remote or local attacker could overflow a buffer and execute