TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
428
Signature ID: 11003
Malformed Imap Request
Threat Level: Critical
Signature Description: All IMAP requests have some command to be sent to the server with some argument. The
absence of any command in the request packet is suspicious as it does not serve any purpose. This rule hits when
system detects a Imap packet with no command in it.
Signature ID: 11004
No AUTHENTICATION type specified in the request line.
Threat Level: Critical
Signature Description: An IMAP4 rev1 server support and will be in one of four states - Non-Authenticated State ,
Authenticated State, Selected State and Logout State. In non-authenticated state, the client MUST supply authentication
credentials before most commands will be permitted. Most commands are valid in only certain states. It is a protocol
error for the client to attempt a command while the command is in an inappropriate state. In this case, a server will
respond with a BAD or NO (depending upon server implementation)command completion result. In addition to the
universal commands (CAPABILITY, NOOP, and LOGOUT), the following commands are valid in non-authenticated
state: AUTHENTICATE and LOGIN. Any IMAP Client confirming to this RFC standard will never send any other
command in this state. System keep track of the state of all the IMAP session. This log is generated when system find a
command other than the one specified above in non-authenticated state.
Signature ID: 11005
Possible UW-Imap Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-1999-0042 CVE-1999-0005 Bugtraq: 130 Nessus: 10292,10125
Signature Description: UW imapd is an IMAP daemon from the University of Washington. University of Washington
imapd 10.234 and previous versions are vulnerable to a buffer overflow, caused by improper bounds checking of user
suppled data. A successful exploitation of this attack will allow an attacker to execute arbitrary code on the vulnerable
system. This rule will triggers when user issues a long argument, in the AUTHENTICATE command.
Signature ID: 11006
Imap LIST Buffer Overflow Vulnerability
Threat Level: Critical
Industry ID: CVE-2000-0284
CVE-2000-0961 CVE-2005-2923 Bugtraq: 1721,1110,15753 Nessus: 10374,10625
Signature Description: A buffer overflow exists in University of Washington imapd 12.264. The vulnerability exists in
the LIST command. By supplying a long, well-crafted string as the second argument to the LIST command, it becomes
possible to execute code on the machine.Executing the LIST command requires an account on the machine. In addition,
privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would
only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell
access. Upgrade the latest version to resolve this issue.
Signature ID: 11007
IMAP Authenticate buffer overflow attempt
Threat Level: Severe
Industry ID: CVE-1999-0005
Bugtraq: 130
Signature Description: IMAP4rev1 servers up to and including 10.234 contain a buffer overflow that allows a remote
attacker to execute arbitrary commands on the victim site as the user running imapd, generally root. This is not the
same vulnerability described in CERT CA-97.09