TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
429
Signature ID: 11008
Anonymous login to IMAP access Vulnerability
Threat Level: Severe
Signature Description: IMAP stands for Internet Messaging Access Protocol. It is a method of accessing electronic
mail or bulletin board messages that are kept on a mail server. This signature detects when an attacker access to IMAP
using login name 'anonymous'. The successful exploitation of this issue will allow an attacker to waste resources by
creating folders and large files and gain sensitive information.
Signature ID: 11010
IMAP create literal buffer overflow vulnerability
Threat Level: Information
Bugtraq: 7446
Signature Description: MDaemon is a mail server for Microsoft Windows operating systems. It includes WorldClient,
which is a web-based email client. MDaemon (6.7.9 and prior) are vulnerable to a buffer overflow in the IMAP server,
caused by improper bounds checking of CREATE command. A successful exploitation of this attack will allow an
attacker to execute arbitrary code on the vulnerable system . Upgrade to the latest version (7.2.0 or later), available
from the Alt-N Technologies Web site.
Signature ID: 11011
IMAP create buffer overflow attempt
Threat Level: Information
Bugtraq: 14315
Signature Description: The Alt-N MDaemon IMAP server versions before Alt-N MDaemon 8.0 3 and some other
versions are expected to be vulnerable where an authenticated user creates a folder with a sufficiently long name,
arbitrary code can be executed with system privileges. Note that this exploit can only be attempted by an authenticated
user with a valid IMAP account on the mail server.
Signature ID: 11012
IMAP LOGIN Command with Command Length Exceeding 256 Bytes
Threat Level: Severe
Industry ID: CVE-1999-1557
CVE-2006-1255 CVE-2008-2859 Bugtraq: 502,17138,29805 Nessus: 21116
Signature Description: IMAP LOGIN command identifies the client to the server and carries the plain text password
authenticating this user. It takes arguments as Username and Password but these will be transmitted in plain text format
only. This rule triggers when an attempt is made to trigger a buffer overflow associated with an IMAP product by using
LOGIN command. In this case LOGIN command with argument length exceeding 256 bytes causes this rule hit.
Products like MERCURY Messaging 2005 5.0 SP3 IMAP Server and Ipswitch IMail 5.0 are vulnerable to this type of
attack.
Signature ID: 11013
IMAP auth literal overflow vulnerability
Threat Level: Severe
Industry ID: CVE-1999-0005 Bugtraq: 130 Nessus: 10292,10125
Signature Description: A vulnerability exists in certain imapd implementations that allow an attacker to execute
arbitrary code remotely. In certain instances, the code to be executed will be run with root privilege.Imap supports a
command 'AUTHENTICATE' which specifies the type of authentication mechanism to be used to open a mailbox. The
value passed to the authenticate command is copied into a buffer of size 1024. The maximum size of this value,
however, it 8192 characters. A failure to bound the read value to 1024 results in a buffer overflow.