TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
487
Signature ID: 14001
POP2 Service is Running
Threat Level: Warning
Signature Description: POP2 is outdated protocol to download mails. As it is not being used, there may be many
vulnerabilities present in it. In the past, there had been many vulnerabilities reported in POP2. This rule triggers if
connection is established on port 109 indiacating POP2 service is running.
Signature ID: 14002
Netscape Messaging Server Email Address Verification Vulnerability (USER)
Threat Level: Information
Industry ID: CVE-2000-0960 Bugtraq: 1787 Nessus: 10681
Signature Description: While attempting to connect to Netscape Messaging Server, if an invalid email address is
entered with random password, an error message stating that the (username) email address is incorrect will be
displayed. However, when entering an invalid email address, the error message returned will state that the specified
email address is an invalid mailbox. Due to the differing error messages, it is possible for email address harvesters to
acquire lists of valid email addresses. After that brute force can be applied to estimate password.
Signature ID: 14003
IMAP-4.4 POP2 Server FOLD Buffer Overflow
Threat Level: Severe
Industry ID: CVE-1999-0920 Bugtraq: 283
Signature Description: The POP2 server distributed with IMAP-4.4 and prior from the University of Washington
contains a buffer overflow problem in the FOLD command. The pop2 server support the concept of an "anonymous
proxy", whereby a remote user connecting to the server can instruct it to open an IMAP mailbox if they have a valid
account. In this state the pop2 server runs under the "nobody" user id. Once logged on, issuing a FOLD command with
an argument of about 1000 bytes will cause a stack based buffer overflow. This vulnerability could be remotely
exploited by an attacker to execute arbitrary commands as the user "nobody."
Signature ID: 14004
Netscape Messaging Server Email Address Verification Vulnerability (Password)
Threat Level: Information
Industry ID: CVE-2000-0960
Bugtraq: 1787 Nessus: 10681
Signature Description: While attempting to connect to Netscape Messaging Server, if an invalid password is entered
for a valid email address , an error message stating that the password is incorrect will be displayed. However, when
entering an invalid email address, the error message returned will state that the specified email address is an invalid
mailbox. Due to the differing error messages, it is possible for email address harvesters to acquire lists of valid email
addresses. After that brute force can be applied to estimate password.
Signature ID: 14006
POP3 UIDL negative argument
Threat Level: Information
Industry ID: CVE-2002-1539 Bugtraq: 6053 Nessus: 11570
Signature Description: This event may indicate an attempt to exploit a boundary checking vulnerability in the UIDL
command on the Alt-N MDaemon POP server. If an authenticated user sends the UIDL command with a negative
argument to the POP server, the MDaemon service will crash when it attempts to process the command. Note that this
exploit can only be attempted by an authenticated user with a valid IMAP account on the server.