TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
431
buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell
level access. This would allow them to gain shell access.
Signature ID: 11019
IMAP login brute force attempt
Threat Level: Warning
Signature Description: An attempt is made to gain access to an IMAP server using brute force methods. When an
attacker is attempting to guess username and password combinations. This rule triggers when many unsuccessful
attempts were seen to login to IMAP server during a small period of time.
Signature ID: 11020
IMAP login buffer overflow vulnerability
Threat Level: Information
Industry ID: CVE-1999-0005 CVE-2005-1255 Bugtraq: 130,13727 Nessus: 10125,10292
Signature Description: Cyrus IMAPD is a freely available, open source Interactive Mail Access Protocol (IMAP)
daemon. It is available for Unix and Linux operating systems. Carnegie Mellon University Cyrus IMAP Server is
vulnerable to a buffer overflow via sending long argument to the login command. A successful exploitation of this
attack will allow an attacker to execute arbitrary code on the vulnerable system.This rule hits when cmd length is
greater than 100 chars.
Signature ID: 11021
IMAP login literal buffer overflow vulnerability
Threat Level: Information
Bugtraq: 6298
Signature Description: Cyrus IMAPD is a freely available, open source Interactive Mail Access Protocol (IMAP)
daemon. It is available for Unix and Linux operating systems. Carnegie Mellon University Cyrus IMAP Server is
vulnerable to a buffer overflow via sending long argument to the login command. A successful exploitation of this
attack will allow an attacker to execute arbitrary code on the vulnerable system.
Signature ID: 11022
IMAP LSUB Command Literal Overflow Attempt
Threat Level: Severe
Industry ID: CVE-2000-0284
Bugtraq: 1110 Nessus: 10374,10625
Signature Description: IMAP LSUB command returns a subset of names from the set of names that the user has
declared as being "active" or "subscribed". It takes two arguments 'reference name' and 'mailbox name pattern'. This
rule triggers when an attempt is made to exploit a buffer overflow associated with an IMAP product by using LSUB
command and making use of Literal. When command continuation request is allowed by server command data can be
transmitted by making use of literals. A literal is a sequence of zero or more octets (including CR and LF), prefix-
quoted with an octet count in the form of an open brace ("{"), the number of octets, close brace ("}"), and CRLF. In this
case the LSUB command is sent by the client by specifying a large literal value. Once the command continuation
request comes from the server, client sends Literal value (no. of octets) - 2 amount of data to the server. Since the
arguments of LSUB command will never be that large, this can be considered as an attack. Products like University of
Washington imapd 10.234 are vulnerable to this type of attack.
Signature ID: 11023
IMAP lsub overflow attempt
Threat Level: Warning
Industry ID: CVE-2000-0284 Bugtraq: 1110 Nessus: 10374,10625
Signature Description: A buffer overflow exists in imapd. The vulnerability exists in the LSUB command. By