TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
436
command continuation request comes from the server, client sends Literal value (no. of octets) - 2 amount of data to the
server. Since the arguments of SUBSCRIBE command will never be that large, this can be considered as an attack.
Signature ID: 11041
IMAP SUBSCRIBE Command overflow vulnerability
Threat Level: Severe
Industry ID: CVE-2004-1211
CVE-2006-6761 CVE-2007-3927 CVE-2007-3925 Bugtraq: 11775,21728,24962
Signature Description: IMAP SUBSCRIBE command adds the specified mailbox name to the server's set of "active" or
"subscribed" mailboxes as returned by the LSUB command. SUBSCRIBE command takes mailbox name as argument.
This rule triggers when an attempt is made to trigger a buffer overflow associated with an IMAP product by using
SUBSCRIBE command. In this case SUBSCRIBE command with argument length exceeding 100 bytes causes this
rule to hit. Products like David Harris Mercury Mail Transport System 4.01a and Novell NetMail version 3.52 and
earlier are vulnerable to this type of attack. Upgrade to newer version of the product.
Signature ID: 11042
IMAP unsubscribe literal overflow attempt
Threat Level: Severe
Industry ID: CVE-2004-1211 Bugtraq: 11775
Signature Description: Mail servers are reported susceptible to multiple stack-based buffer-overflow vulnerabilities in
its IMAP server implementation. These issues are due to the application's failure to properly bounds-check user-
supplied input before copying it to a finite-sized memory buffer.These vulnerabilities allow authenticated, remote
attackers to execute arbitrary machine code in the context of the affected server process.This event is concerned with
data supplied as a parameter to the unsubscribe command.IMAP service in Mercury/32 4.01a is vulnerable to this
attack. This signature detects when an attacker send IMAP command UNSUBSCRIBE followed by '{'.
Signature ID: 11043
IMAP unsubscribe overflow attempt
Threat Level: Information
Industry ID: CVE-2004-1211 Bugtraq: 11775
Signature Description: Mail servers are reported susceptible to multiple stack-based buffer-overflow vulnerabilities in
its IMAP server implementation. These issues are due to the application's failure to properly bounds-check user-
supplied input before copying it to a finite-sized memory buffer.These vulnerabilities allow authenticated, remote
attackers to execute arbitrary machine code in the context of the affected server process.This event is concerned with
data supplied as a parameter to the unsubscribe command.IMAP service in Mercury/32 4.01a is vulnerable to this
attack. This signature detects when an attacker send more the 100 bytes with the UNSUBSCRIBE command.
Signature ID: 11044
Microsoft SSL PCT buffer overflow attempt
Threat Level: Critical
Industry ID: CVE-2003-0719 Bugtraq: 10116 Nessus: 12209
Signature Description: A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol,
which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some
cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability
could take complete control of an affected system.All programs that use SSL could be affected. Although SSL is
generally associated with Internet Information Services by using HTTPS and port 443, any service that implements
SSL on an affected platform is likely to be vulnerable. In this case PCT should work for IMAP. This includes but is not
limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0, Microsoft Internet
Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000, Microsoft Exchange