TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
522
Signature ID: 16225
RPC UDP mount Call request Vulnerability
Threat Level: Information
Signature Description: Mount is to make a group of files in a file system structure accessible to a user or user group.
The mountd Remote Procedure Call(RPC) implements the NFS(NFS(Network File System) is client/server application
designed by Sun Microsystems that allows all network users to access shared files stored on computers of different
types) mount protocol. When an NFS client requests a mount of an NFS files system, mountd examines the list of
exported file systems. If the NFS client is permitted access to the requested file system, mountd returns a file handle for
the requested directory. This issue will allow an attacker to mount an NFS directory to read or change files. This
signature detects when an attacker send specially-crafted pattern to UDP RPC.
Signature ID: 16226
RPC admind service Vulnerability
Threat Level: Information
Signature Description: This rule will trigger when an attacker is made through a portmap GETPORT request to
discover the port where the Remote Procedure Call(RPC) admind is listening. The protmapper service registers all RPC
service to UNIX hosts. It can be queried to determine the port where RPC services such as admind run. "admind" RPC
service is used by UNIX hosts to remotely perform distributed systems administration tasks such as adding new users
and setting passwords. This information can be used by an attacker to adding user names, passwords and gain sensitive
information. This signature detects when an attacker send specially-crafted pattern to TCP RPC.
Signature ID: 16227
Sun Solaris cachefsd Heap Overflow Vulnerability TCP
Threat Level: Information
Industry ID: CVE-2002-0033 Bugtraq: 4674
Signature Description: Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris
2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems
mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in the cachefsd program shipped and
installed by default with Sun Solaris. A remote attacker can send a crafted RPC request to the cachefsd program to
remotely exploit the vulnerability.
Signature ID: 16228
SGI IRIX ESP daemon buffer overflow TCP
Threat Level: Information
Industry ID: CVE-2001-0331 Bugtraq: 2714
Signature Description: Embedded Support Partner (ESP) is an infrastructure that is integrated into the IRIX operating
system for the purposes of support. Embedded Support Partner daemon(rpc.espd) in IRIX 6.5.8 and earlier are
vulnerable to stack based buffer overflow due to insufficient validation of user supplied data. A successful exploitation
of this vulnerability allow an attacker to execute arbitrary commands on the vulnerable system. This vulnerability is
fixed in SGI IRIX 6.5.11 version. Administrators are advised to update SGI IRIX 6.5.11 version to resolve this
vulnerability. This signature detects when an attacker send malicious pattern on RPC-TCP traffic.
Signature ID: 16229
SGI IRIX ESP daemon buffer overflow UDP
Threat Level: Information
Industry ID: CVE-2001-0331 Bugtraq: 2714
Signature Description: Embedded Support Partner (ESP) is an infrastructure that is integrated into the IRIX operating
system for the purposes of support. Embedded Support Partner daemon(rpc.espd) in IRIX 6.5.8 and earlier are