TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
526
Signature ID: 16241
Sun Solstice Adminsuite Daemon sadmind Buffer Overflow UDP
Threat Level: Severe
Industry ID: CVE-1999-0977 Bugtraq: 866
Signature Description: The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and
2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed
in /usr/sbin. It can be used to coordinate distributed system administration operations remotely. The sadmind daemon is
started automatically by the inetd daemon whenever a request to perform a system administration operation is received.
Under vulnerable versions of sadmind if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via
clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. Since sadmind is installed as root, it
is possible to execute arbitrary code with root privileges on a remote machine. This signature detects when an attacker
send malicious pattern on RPC-UDP traffic.
Signature ID: 16242
Sun Solstice AdminSuite sadmind UDP PING
Threat Level: Information
Signature Description: The sadmind RPC service is used by Sun Solstice AdminSuite applications to perform remote
distributed system administration tasks such as adding new users. The ping function associated with the sadmind
daemon will verify if it is active. An attacker can ping the sadmind daemon to verify if it is active. This signature
detects when an attacker send ping request on RPC-UDP traffic.
Signature ID: 16243
Sun Solstice Adminsuite Daemon sadmind query with root credentials attempt UDP
Threat Level: Information
Industry ID: CVE-1999-0977 Bugtraq: 2354,866
Signature Description: The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and
2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed
in /usr/sbin. It can be used to coordinate distributed system administration operations remotely. The sadmind daemon is
started automatically by the inetd daemon whenever a request to perform a system administration operation is received.
Versions of sadmind were shipped with a default of no authentication required. As a result, remote users could access
the service and compromise the target system. This signature detects when an attacker send malicious pattern on RPC-
UDP traffic.
Signature ID: 16244
Sun Solstice AdminSuite Daemon sadmind query with root credentials attempt TCP
Threat Level: Information
Industry ID: CVE-1999-0977 Bugtraq: 2354,866
Signature Description: The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and
2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed
in /usr/sbin. It can be used to coordinate distributed system administration operations remotely. The sadmind daemon is
started automatically by the inetd daemon whenever a request to perform a system administration operation is received.
Versions of sadmind were shipped with a default of no authentication required. As a result, remote users could access
the service and compromise the target system. This signature detects when an attacker send malicious pattern on RPC-
TCP traffic.