TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
585
Signature ID: 23006
Integer Overflow in challenge response handling of OpenSSH
Threat Level: Information
Industry ID: CVE-2002-0639
Bugtraq: 5093 Nessus: 11031
Signature Description: An Integer Overflow vunerability exists in the challenge response handling code in OpenSSH
versions 2.3.1p1 through 3.3. These OpenSSH versions fail to verify the integer that specifies the number of responses
received during challenge response authentication. If the challenge response configuration option is set to yes and the
system is using SKEY or BSD_AUTH authentication, then a remote intruder may be able to exploit the vulnerability to
execute arbitrary code.
Signature ID: 23007
Kerberos administration daemon (kadmind) buffer overflow vulnerability
Threat Level: Information
Industry ID: CVE-2002-1235 CVE-2002-1226 CVE-2002-1235 CVE-2002-1225 Bugtraq: 5731,6024
Signature Description: A remotely exploitable buffer overflow exists in the Kerberos administration daemon
(kadmind) in both the MIT and KTH Kerberos implementations. The administration daemon handles requests for
changes to the Kerberos database and runs on the master Key Distribution Center (KDC) system of a Kerberos realm.
The master KDC contains the authoritative copy of the Kerberos database, thus it is a critical part of a site's Kerberos
infrastructure. The buffer overflow can be triggered when the daemon parses an un-checked length value contained in
an administrative request read from the network. An attacker does not have to authenticate in order to exploit this
vulnerability, and the Kerberos administration daemon runs with root privileges.
Signature ID: 24001
DNS BIND Request Overflow Attempt
Threat Level: Information
Industry ID: CVE-1999-0833 CVE-1999-0009 CVE-1999-0851 Bugtraq: 134,788
Signature Description: BIND versions prior to 8.2.2 are vulnerable to Buffer overflow attempts that may cause root
compromise via malformed DNS requests. vulnerabilities have been discovered in BIND, the DNS name server
implementation maintained by the Internet Consortium,and shipped with OpenLinux.This rule is generic and tries to
detect buffer overflow attempts via malformed DNS requests over TCP.
Signature ID: 24002
DNS Query to DNS server with vulnerable IQUERY option Detected
Threat Level: Information
Signature Description: Buffer overflow problem is present in certain versions of BIND software.BIND fails to properly
bound the data recieved when processing an inverse query (IQuery). Upon a memory copy, portions of the program can
be overwritten, and arbitrary commands run on the affected host. The IQUERY function, in named implementations, is
fed with an IP range (netmask) and it returns all the available resource records for the hosts within the given range.
Inverse queries have been deprecated. This rule triggers an event when such a query is seen on the wire. Older DNS
servers are vulnerable to exploits using this query. If a patched DNS server is running, it is safe to disable this rule.
Signature ID: 24003
DNS Zone transfer check
Threat Level: Information
Signature Description: DNS zone transfer check determines whether or not zone transfers are supported by the given
nameserver. This rule hits for the attack pattern type:SOA which is flowing towards DNS server.