TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
479
10972,10607,11381,11382
Signature Description: A remote integer overflow vulnerability exists in several implementations of SSH protocol
version 1.5. The vulnerability is present in detect_attack() function of deattack.c file which is used to detect
exploitation of CRC32 weaknesses in SSH 1 protocol. The attack detection function (detect_attack, located in
deattack.c) makes use of a dynamically allocated hash table to store connection information that is then examined to
detect and respond to CRC32 attacks. By sending a crafted SSH1 packet to an affected host, an attacker can cause the
SSH daemon to create a hash table with a size of zero. When the detection function then attempts to hash values into
the null-sized hash table, these values can be used to modify the return address of the function call, thus causing the
program to execute arbitrary code with the privileges of the SSH daemon, typically root. Vulnerable applications
include SSH Communications Security SSH 1.2.31 and prior, OpenSSH 2.2, NetScreen ScreenOS 3.x.x. This rule hits
when /bin/sh is send to the SSH server.
Signature ID: 12291
Remote Integer Overflow in detection code of SSH CRC32 overflow attack
Threat Level: Warning
Industry ID: CVE-2001-0144
CVE-2001-0144 CVE-2002-1024 Bugtraq: 2347,5114 Nessus:
10972,10607,11381,11382
Signature Description: SSH (Secure Shell) is a client-server program for authentication and encryption of network
communications. A remote integer overflow vulnerability exists in several implementations of SSH protocol version
1.5. The vulnerability is present in detect_attack() function of deattack.c file which is used to detect exploitation of
CRC32 weaknesses in SSH 1 protocol. The attack detection function (detect_attack, located in deattack.c) makes use of
a dynamically allocated hash table to store connection information that is then examined to detect and respond to
CRC32 attacks. By sending a crafted SSH1 packet to an affected host, an attacker can cause the SSH daemon to create
a hash table with a size of zero. When the detection function then attempts to hash values into the null-sized hash table,
these values can be used to modify the return address of the function call, thus causing the program to execute arbitrary
code with the privileges of the SSH daemon, typically root. Vulnerable applications include SSH Communications
Security SSH 1.2.31 and prior, OpenSSH 2.2, NetScreen ScreenOS 3.x.x. This signature detects if an attacker send
junk characters like "AAAAAAAAAA" on ssh traffic.
Signature ID: 12292
Remote Integer Overflow in detection code of SSH CRC32 overflow attack
Threat Level: Warning
Industry ID: CVE-2001-0144 CVE-2001-0144 CVE-2002-1024 Bugtraq: 2347,5114 Nessus:
10972,10607,11381,11382
Signature Description: A remote integer overflow vulnerability exists in several implementations of SSH protocol
version 1.5. The vulnerability is present in detect_attack() function of deattack.c file which is used to detect
exploitation of CRC32 weaknesses in SSH 1 protocol. The attack detection function (detect_attack, located in
deattack.c) makes use of a dynamically allocated hash table to store connection information that is then examined to
detect and respond to CRC32 attacks. By sending a crafted SSH1 packet to an affected host, an attacker can cause the
SSH daemon to create a hash table with a size of zero. When the detection function then attempts to hash values into
the null-sized hash table, these values can be used to modify the return address of the function call, thus causing the
program to execute arbitrary code with the privileges of the SSH daemon, typically root. Vulnerable applications
include SSH Communications Security SSH 1.2.31 and prior, OpenSSH 2.2, NetScreen ScreenOS 3.x.x. This rule hits
when vulnerable pattern "00 01 57 00 00 00 18" followed with "FF FF FF FF 00 00" found in the specified offset
range.
Signature ID: 12302
Access to Arkeia Client Backup with Root Account
Threat Level: Warning
Industry ID: CVE-2005-0496