TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
485
value that will be appropriately aligned to give us a sufficient amount of bytes to overwrite the stack. This can be
exploited to execute arbitrary code by a remote attacker.
Signature ID: 12331
ISC DHCPD NSUPDATE Remote Format String Vulnerability
Threat Level: Information
Industry ID: CVE-2002-0702 Bugtraq: 4701 Nessus: 11312
Signature Description: The DHCP daemon (DHCPD) produced by Internet Software Consortium (ISC) is a server that
is used to allocate network addresses and assign configuration parameters to dynamically configured hosts. DHCPD
listens for requests from client machines connecting to the network. Versions 3 to 3.0.1rc8 inclusive of DHCPD contain
an option (NSUPDATE) that is compiled in by default. NSUPDATE allows the DHCP server to send an update to the
DNS server after processing a DHCP request. The DNS server responds by sending a message back to the DHCP
server. The response from the DNS server can contain user-supplied data. When this message is received, the DHCP
server logs the transaction. A format string vulnerability exists in the DHCPD code that logs the transaction. This
vulnerability may permit an attacker to execute code with the privileges of the DHCP daemon. A remote attacker can
execute arbitrary code on the vulnerable host with the privileges of the DHCP server (DHCPD), typically root.
Signature ID: 12332
Bootp invalid hardware type overflow
Threat Level: Information
Industry ID: CVE-1999-0798
Signature Description: There exists a buffer overflow vulnerability in bootpd on FreeBSD 2.2.5 and 2.2.2 that can be
exploited via a malformed header type. The vulnerability exists in bootpd.c. If an invalid hardwaretype is specified past
the end of the hardware info list table, one can address the memory that resides after the structure hwinfo, potentially
finding a value that will be appropriately aligned to give us a sufficient amount of bytes to overwrite the stack. This can
be exploited to execute arbitrary code by a remote attacker.
Signature ID: 12333
Distccd command execution attempt
Threat Level: Information
Signature Description: Distccd is distributed C/C++ compiler server. It will run on port 3632. Anyone who can connect
to the distcc server port 3632, can run arbitrary commands on that machine as the distccd user. This rule tries to detect
any command execution attempt over a distcc server port.
Signature ID: 12334
ISAKMP failed login
Threat Level: Information
Signature Description: Internet Security Association and Key Management Protocol (ISAKMP) is a cryptographic
protocol which forms the basis of the IKE key exchange protocol. The following rule tries to detect failed login attempt
through ISAKMP.
Signature ID: 12335
RSync Configured Module Path Escaping Vulnerability
Threat Level: Information
Industry ID: CVE-2004-0426
Bugtraq: 10247 Nessus: 12230,14141,12497,13695,12610
Signature Description: Rsync is an open-source file synchronization and transfer utility for Linux available under the
GNU General Public License (GPL). rsync versions prior to 2.6.1 could allow a remote attacker to write files outside of
the directory. When running non-read-only rsync without enabling chroot, a remote attacker can send a path to the
rsync daemon to write files to directories outside a module's path.