TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
524
Signature ID: 16233
Portmap Network-Status-Monitor (NSM) request UDP
Threat Level: Information
Signature Description: NSM runs on client machines and informs other hosts of the status of that machine should a
crash or reboot occur. Each remote application using an rpc service can therefore register with the host when services
are once again available. A request made to a machine will indicate to the attacker the status of that host and will also
be indicative of rpc services being available. The attacker might then continue to ascertain which rpc services are being
offered and then launch an attack on vulnerable daemons. This signature detects when an attacker send malicious
pattern on RPC-UDP traffic.
Signature ID: 16234
Integer overflow in Sun RPC XDR library routines TCP
Threat Level: Severe
Industry ID: CVE-2003-0028 Bugtraq: 7123
Signature Description: The XDR (external data representation) library from Sun Microsystems is a widely used
implementation for RPC services. XDR is a standard for the description and encoding of data which is used heavily in
RPC implementations. Some memory allocation routines in the XDR library provided by Sun Microsystems contain an
integer overflow that can lead to improperly sized dynamic memory allocation. The length of the allocated buffer is
interpreted as a signed integer, whereas the callers interpret the length as an unsigned integer. The xdrmem_getbytes()
function is one example of where the flaw may occur. Subsequent problems like buffer overflows may result,
depending on how and where the vulnerable xdrmem_getbytes() function is used. Other functions in the xdrmem_*()
family may suffer from an identical error. Exploiting this vulnerability will lead to denial of service, execution of
arbitrary code, or the disclosure of sensitive information. This signature detects attacks on TCP based RPC traffic.
Signature ID: 16235
Integer overflow in Sun RPC XDR library routines UDP
Threat Level: Severe
Industry ID: CVE-2003-0028 Bugtraq: 7123
Signature Description: The XDR (external data representation) library from Sun Microsystems is a widely used
implementation for RPC services. XDR is a standard for the description and encoding of data which is used heavily in
RPC implementations. Some memory allocation routines in the XDR library provided by Sun Microsystems contain an
integer overflow that can lead to improperly sized dynamic memory allocation. The length of the allocated buffer is
interpreted as a signed integer, whereas the callers interpret the length as an unsigned integer. The xdrmem_getbytes()
function is one example of where the flaw may occur. Subsequent problems like buffer overflows may result,
depending on how and where the vulnerable xdrmem_getbytes() function is used. Other functions in the xdrmem_*()
family may suffer from an identical error. Exploiting this vulnerability will lead to denial of service, execution of
arbitrary code, or the disclosure of sensitive information. This signature detects attacks on UDP based RPC traffic.
Signature ID: 16236
SGI IRIX rpc.xfsmd weak RPC authentication TCP
Threat Level: Information
Industry ID: CVE-2002-0359 Bugtraq: 5072
Signature Description: XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon
(rpc.xfsmd) on SGI systems uses the default AUTH_UNIX authentication mechanism for its RPC service. This means
the rpc.xfsmd daemon trusts that the remote system calling its RPC interface has already authenticated the remote client
process via standard UNIX user id mechanisms (i.e., if a daemon only allows UID 0 [root] access to its RPC interface,
it trusts remote RPC clients to be running with UID 0 [root] privileges). As a result, any remote system able to forge
UID 0 in its RPC call to vulnerable SGI rpc.xfsmd daemons can bypass the RPC authentication mechanism altogether.
A remote attacker can bypass the default AUTH_UNIX authentication mechanism for this RPC service, allowing