TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
438
the DCE/RPC service. These functions provide the ability to manage user accounts and network resources locally and
remotely. Some network management functions generate a debug log file in the "debug" sub directory located in the
Windows directory. Some RPC functions will accept a long string as a parameter and attempt to write it to the debug
log file. If we specify a long string as a parameter to these RPC functions, a stack-based buffer overflow will happen in
the Workstation service on the remote system. Attackers who successfully leverage this vulnerability will be executing
code under the SYSTEM context of the remote host.
Signature ID: 11418
Nimda Worm Traffic (root.exe)
Threat Level: Warning
Industry ID: CVE-2001-0333
Bugtraq: 2708 Nessus: 11003
Signature Description: Nimda worm uses the Unicode Web Traversal exploit to infect unpatched Microsoft IIS (4.0
and 5.0)web servers. On these web servers, it is possible to construct a URL that would cause the IIS to navigate to any
desired folder on the logical drive that contains the Web folder structure, and then access files in it. Successful
exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as
add, change, or delete files or Web pages on the compromised server.<br><br>However, by using the Nimda worm as
a delivery mechanism, the attacker can remotely compromise a vulnerable IIS server, and once compromised, create a
local account on the targeted server with administrator privileges, regardless of the drive on which the IIS server is
installed. The worm uses directory traversal techniques to access cmd.exe on unpatched IIS servers. The worm also
attempts to use the IIS servers that CodeRed II had previously compromised to propagate and to access root.exe from
the inetpub/scripts directory.<br><br>This rule detects for the presence of root.exe in HTTP traffic
Signature ID: 11419
Nimda Worm Traffic (cmd.exe)
Threat Level: Warning
Industry ID: CVE-2001-0333 Bugtraq: 2708 Nessus: 11003
Signature Description: Nimda worm uses the Unicode Web Traversal exploit to infect unpatched Microsoft IIS (4.0
and 5.0)web servers. On these web servers, it is possible to construct a URL that would cause the IIS to navigate to any
desired folder on the logical drive that contains the Web folder structure, and then access files in it. Successful
exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as
add, change, or delete files or Web pages on the compromised server.<br><br>However, by using the Nimda worm as
a delivery mechanism, the attacker can remotely compromise a vulnerable IIS server, and once compromised, create a
local account on the targeted server with administrator privileges, regardless of the drive on which the IIS server is
installed. The worm uses directory traversal techniques to access cmd.exe on unpatched IIS servers. The worm also
attempts to use the IIS servers that CodeRed II had previously compromised to propagate and to access root.exe from
the inetpub/scripts directory.<br><br>This rule detects for the presence of cmd.exe in HTTP traffic
Signature ID: 12001
Possible syslog (Passlog) Daemon SL_Parse Remote Buffer Overflow Vulnerability
Threat Level: Warning
Bugtraq: 7261
Signature Description: The passive syslog capture daemon, called passlogd, is a free tool used to sniff syslog packets
on FreeBSD and Linux-based platforms. passlogd Project passlogd 0.1d, passlogd Project passlogd 0.1c, passlogd
Project passlogd 0.1b and passlogd Project passlogd 0.1a are vulnerable to obuffer verflow. By sending a specially
crafted syslog packet, remote attackers could exploit these vulnerabilities to overflow a buffer and possibly execute
arbitrary code with root privileges on an affected system.