TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
527
Signature ID: 16245
Linux rpc.statd Remote Format String Vulnerability
Threat Level: Severe
Industry ID: CVE-2000-0666
Bugtraq: 1480 Nessus: 10544
Signature Description: The rpc.statd server is an RPC server that implements the Network Status and Monitor RPC
protocol. It's a component of the Network File System (NFS) architecture. The rpc.statd program passes user-supplied
data to the syslog() function as a format string. Since there is no input validation of this string, a malicious user can
inject machine code to be executed with the privileges of the rpc.statd process, typically root.
Signature ID: 16246
RPC Tooltalk Service Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-1999-0003 Bugtraq: 122
Signature Description: The ToolTalk service allows independently developed applications to communicate with each
other by exchanging ToolTalk messages. Using ToolTalk, applications can create open protocols which allow different
programs to be interchanged, and new programs to be plugged into the system with minimal reconfiguration. The
ToolTalk database server (rpc.ttdbserverd) is an RPC service which manages objects needed for the operation of the
ToolTalk service. Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to
formulate an RPC message that will cause the server to overflow an automatic variable on the stack. By overwriting
activation records stored on the stack, it is possible to force a transfer of control into arbitrary instructions provided by
the attacker in the RPC message, and thus gain total control of the server process. ToolTalk service is listen on both
udp and tcp ports. This signature generates an event when an attacker send pattern by using tcp service.
Signature ID: 16247
RPC ToolTalk Service Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-1999-0003 Bugtraq: 122
Signature Description: The ToolTalk service allows independently developed applications to communicate with each
other by exchanging ToolTalk messages. Using ToolTalk, applications can create open protocols which allow different
programs to be interchanged, and new programs to be plugged into the system with minimal reconfiguration. The
ToolTalk database server (rpc.ttdbserverd) is an RPC service which manages objects needed for the operation of the
ToolTalk service. Due to an implementation fault in rpc.ttdbserverd, it is possible for a malicious remote client to
formulate an RPC message that will cause the server to overflow an automatic variable on the stack. By overwriting
activation records stored on the stack, it is possible to force a transfer of control into arbitrary instructions provided by
the attacker in the RPC message, and thus gain total control of the server process.
Signature ID: 16248
Rpc.yppasswdd new password overflow attempt TCP
Threat Level: Severe
Industry ID: CVE-2001-0779
Signature Description: Network Information Service (NIS) provides a simple network lookup service consisting of
databases and processes. Its purpose is to provide information, that has to be known throughout the network, to all
machines on the network. Information likely to be distributed by NIS might be login names and/or group information.
A remotely exploitable buffer overflow exists in the rpc.yppasswd service. This vulnerability is due to insufficient
bounds checking of user supplied data. A successful exploitation of this vulnerability allow an attacker to execute
arbitrary commands on the vulnerable system. Solaris 2.6, 2.7 are vulnerable. Administrators are advised to update
latest version to resolve this issue. This signature specifically detects when an attacker send malicious pattern by using
tcp service.