TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
583
command line aa “Command lines shall not exceed 512 characters in length, counting all characters including
spaces, separators, punctuation, and the trailing CR-LF (thus there are 510 characters maximum allowed for the
command and its parameters). There is no provision for continuation command lines. “
Signature ID: 22115
Cassandra NNTPServer v1.10 Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2000-0341 Bugtraq: 1156
Signature Description: The Cassandra NNTP v1.10 server by Atrium Software is vulnerable to denial of service attack
caused by a buffer overflow vulnerability. Cassandra NNTP is a Windows-based newsgroup server that can be
accessed and configured by a remote user. A remote attacker can Telnet to port 119 and overflow the login buffer by
entering a long username containing 10,000 characters or more, which can crash the server. When this is exploited,
attacker can also run some arbitary code on the target machine.
Signature ID: 22116
Microsoft Outlook Express NNTP Server LIST Response Parsing Buffer Overflow
Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1213 Bugtraq: 13951
Signature Description: Microsoft Outlook Express contains a newsgroup client and is able to connect to Network News
Transfer Protocol (NNTP) servers to collect data. The clinet component in Outlook Express is vulnerable to a stack
based buffer overflow while parsing the response from a malicious NNTP server . After connecting to the NNTP
server, Outlook Express issues a LIST command to retrieve available news groups. The server responds with a status
code of 215. Then it will list the available groups in the form
'groupname<space>last_article<space>first_article<space>post'. The vulnerability specifically exists in msoe.dll of
Outlook Express which does not check the length of last_article in a response to the LIST command before copying it
to a 16-byte stack buffer. An attacker could try to exploit the vulnerability by convincing a user to configure Outlook
Express to connect to a malicious NNTP server or by compromising an existing NNTP Server. The attacker could then
create a specially crafted response and send the response to an affected system. Successful exploitation of the
vulnerability allows remote attackers to execute arbitrary code under the privileges of the currently logged on user. This
signature generate log when the response packet is invalid of status code 215.
Signature ID: 22117
Microsoft Outlook Express NNTP Server LIST Response Parsing Buffer Overflow
Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-1213
Bugtraq: 13951
Signature Description: Microsoft Outlook Express contains a newsgroup client and is able to connect to Network News
Transfer Protocol (NNTP) servers to collect data. The clinet component in Outlook Express is vulnerable to a stack
based buffer overflow while parsing the response from a malicious NNTP server . After connecting to the NNTP
server, Outlook Express issues a LIST command to retrieve available news groups. The server responds with a status
code of 215. Then it will list the available groups in the form
'groupname"<space>"last_article"<space>"first_article"<space>"post'. The vulnerability specifically exists in msoe.dll
of Outlook Express which does not check the length of last_article in a response to the LIST command before copying
it to a 16-byte stack buffer. An attacker could try to exploit the vulnerability by convincing a user to configure Outlook
Express to connect to a malicious NNTP server or by compromising an existing NNTP Server. The attacker could then
create a specially crafted response and send the response to an affected system. Successful exploitation of the
vulnerability allows remote attackers to execute arbitrary code under the privileges of the currently logged on user.