TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
517
attempts to register a new service on the portmapper/rpcbind by utilizing this technique. In this way the set request
appears to come from the local machine and may bypass address checks. This Signature detects when an attacker send
specially-carafted pattern on TCP RPC.
Signature ID: 16200
RPC Automounter Daemon (amd) Buffer Overflow Vulnerability
Threat Level: Information
Industry ID: CVE-1999-0704 Bugtraq: 614
Signature Description: Automounter daemon(amd) is a daemon that automatically mounts filesystems whenever a file
or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have
become quiescent. The Automounter daemon (amd) is vulnerable to a buffer overflow in the mount code. The amd
daemon responds to attempts to access files by automatically mounting file systems on which those files reside. By
passing a long string to the AMQPROC_MOUNT procedure, a remote attacker can overflow the buffer and gain root
privileges on the system. Administrators are advised to update the latest version to resolve this issue. This signature
detects when an attacker send malicious pattern on RPC-UDP traffic.
Signature ID: 16201
RPC Automounter Daemon (amd) PID request TCP
Threat Level: Information
Industry ID: CVE-1999-0704
Signature Description: This rule gets hit when a request is made to discover the Process ID (PID) of the Remote
Procedure Call (RPC) amd. The amd RPC service implements the automounter daemon on UNIX hosts. The amd
service automatically mounts and unmounts requested file systems. An attacker can make a request to amd to discover
its PID. Learning the PID may help an attacker guess a range of likely PIDs associated with other running services that
are either started before or after amd. This may facilitate an attack against other running processes.
Signature ID: 16202
RPC Automounter Daemon (AMD) version request TCP
Threat Level: Information
Signature Description: This rule gets hit when a request is made to discover the version and configuration information
associated with the Remote Procedure Call (RPC) amd. The amd RPC service implements the automounter daemon on
UNIX hosts. The amd service automatically mounts and unmounts requested file systems. An attacker can make a
request to amd to discover its version number. A successful request will return the version number along with other
valuable configuration information about the server, including the architecture. This signature detects RPC
Automounter Daemon (AMD) version requests using TCP.
Signature ID: 16203
RPC Automounter Daemon (amd) Buffer Overflow Vulnerability
Threat Level: Information
Industry ID: CVE-1999-0704
Bugtraq: 614
Signature Description: Automounter daemon(amd) is a daemon that automatically mounts filesystems whenever a file
or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have
become quiescent. The Automounter daemon (amd) is vulnerable to a buffer overflow in the mount code. The amd
daemon responds to attempts to access files by automatically mounting file systems on which those files reside. By
passing a long string to the AMQPROC_MOUNT procedure, a remote attacker can overflow the buffer and gain root
privileges on the system. Administrators are advised to update the latest version to resolve this issue. This signature
detects when an attacker send malicious pattern on RPC-TCP traffic.