TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
433
Signature ID: 11028
IMAP append literal overflow attempt
Threat Level: Severe
Industry ID: CVE-2004-1211
Bugtraq: 11775
Signature Description: Imapd daemon is reported susceptible to multiple stack-based buffer-overflow
vulnerabilities.These issues are due to the application's failure to properly bounds-check user-supplied input before
copying it to a finite-sized memory buffer. These vulnerabilities allow authenticated, remote attackers to execute
arbitrary machine code in the context of the affected server process.This<br>event is concerned with data supplied as a
parameter to the "append" command.
Signature ID: 11029
IMAP append overflow vulnerability
Threat Level: Severe
Industry ID: CVE-2004-1211 CVE-2006-6425 CVE-2008-2859 CVE-2007-1301 Bugtraq: 11775,21723,29805,22792
Signature Description: Imapd daemon is reported susceptible to multiple stack-based buffer-overflow
vulnerabilities.These issues are due to the application's failure to properly bounds-check user-supplied input before
copying it to a finite-sized memory buffer. These vulnerabilities allow authenticated, remote attackers to execute
arbitrary machine code in the context of the affected server process. This event is concerned with data supplied as a
parameter to the append command.Products like David Harris Mercury Mail Transport System 4.01a and Novell
NetMail version 3.52 and MailEnable Professional version 2.37 and earlier are vulnerable to this type of attack.
Upgrade to newer version of the product.
Signature ID: 11030
IMAP COPY Command Literal Overflow Attempt
Threat Level: Severe
Industry ID: CVE-2000-0284 Bugtraq: 1110 Nessus: 10374,10625
Signature Description: IMAP COPY command copies the specified message(s) to the end of the specified destination
mailbox. It takes two arguments 'sequence set and 'mailbox name'. This rule triggers when an attempt is made to exploit
a buffer overflow associated with an IMAP product by using COPY or UID COPY command and making use of
Literal. When command continuation request is allowed by server command data can be transmitted by making use of
literals. A literal is a sequence of zero or more octets (including CR and LF), prefix-quoted with an octet count in the
form of an open brace ("{"), the number of octets, close brace ("}"), and CRLF. In this case the COPY command is sent
by the client by specifying a large literal value. Once the command continuation request comes from the server, client
sends Literal value (no. of octets) - 2 amount of data to the server. Since the arguments of COPY command will never
be that large, this can be considered as an attack. Products like University of Washington imapd 10.234 are vulnerable
to this type of attack.
Signature ID: 11031
IMAP delete literal overflow vulnerability
Threat Level: Severe
Industry ID: CVE-2004-1520 Bugtraq: 11675
Signature Description: A buffer overflow exists in Ipswitch IMail 8.13. The vulnerability exists in the DELETE
command. By supplying a long, well-crafted string as the second argument to the DELETE command, it becomes
possible to execute code on the machine. Executing the DELETE command requires an account on the machine. In
addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability
would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to
gain shell access. This issue is fixed in Ipswitch IMail 8.14. Administrators are advised to update the product.