TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
435
Signature Description: IMAP daemon is reported to be susceptible to a remote format string vulnerability. This issue is
due to a failure of the application to properly sanitize user-supplied input data before using it as the format specifier in
a formatted printing function. A Successful exploitation of this issue will allow an attacker to execute arbitrary code on
the affected computer with the privileges of the user that the IMAP daemon runs as. This vulnerability is exploitable
prior to authentication. Courier-IMAP(1.6.0-2.2.1)is vulnerable. Upgrade to the latest version of Courier-IMAP (3.0.7
or later), available from the Courier-IMAP Web site.
Signature ID: 11037
IMAP login literal format string attempt
Threat Level: Information
Industry ID: CVE-2004-0777
Bugtraq: 10976 Nessus: 14342,12103
Signature Description: IMAP daemon is reported to be susceptible to a remote literal format string vulnerability. This
issue is due to a failure of the application to properly sanitize user-supplied input data before using it as the format
specifier in a formatted printing function. A Successful exploitation of this issue will allow an attacker to execute
arbitrary code on the affected computer with the privileges of the user that the IMAP daemon runs as. This
vulnerability is exploitable prior to authentication. Courier-IMAP(1.6.0-2.2.1)is vulnerable. Upgrade to the latest
version of Courier-IMAP (3.0.7 or later), available from the Courier-IMAP Web site.
Signature ID: 11038
IMAP status literal overflow attempt
Threat Level: Severe
Industry ID: CVE-2004-1211 Bugtraq: 11775
Signature Description: Mail servers are reported susceptible to multiple stack-based buffer-overflow vulnerabilities in
its IMAP server implementation. These issues are due to the application's failure to properly bounds-check user-
supplied input before copying it to a finite-sized memory buffer.These vulnerabilities allow authenticated, remote
attackers to execute arbitrary machine code in the context of the affected server process.This event is concerned with
data supplied as a parameter to the status command.
Signature ID: 11039
IMAP status overflow vulnerability
Threat Level: Severe
Industry ID: CVE-2004-1211
CVE-2005-3314 CVE-2005-2278 CVE-2005-1256 Bugtraq: 11775,15491,14243
Signature Description: Mail servers are reported susceptible to multiple stack-based buffer-overflow vulnerabilities in
its IMAP server implementation. These issues are due to the application's failure to properly bounds-check user-
supplied input before copying it to a finite-sized memory buffer.These vulnerabilities allow authenticated, remote
attackers to execute arbitrary machine code in the context of the affected server process.This event is concerned with
data supplied as a parameter to the status command. This rule hits when STATUS command argument exceeds 100
characters, which is to the IMAP server.
Signature ID: 11040
IMAP SUBSCRIBE Command Literal Overflow Attempt
Threat Level: Severe
Industry ID: CVE-2004-1211
Bugtraq: 11775
Signature Description: IMAP SUBSCRIBE command adds the specified mailbox name to the server's set of "active" or
"subscribed" mailboxes as returned by the LSUB command. SUBSCRIBE command takes mailbox name as argument.
This rule triggers when an attempt is made to exploit a buffer overflow associated with an IMAP product by using
SUBSCRIBE command and making use of Literal. When command continuation request is allowed by server
command data can be transmitted by making use of literals. A literal is a sequence of zero or more octets (including CR
and LF), prefix-quoted with an octet count in the form of an open brace ("{"), the number of octets, close brace ("}"),
and CRLF. In this case the SUBSCRIBE command is sent by the client by specifying a large literal value. Once the