TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

581

582

583

584

585

586

587

588

589

590

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

586

Signature ID: 24005

DNS caches answers with binary data check

Threat Level: Information

Signature Description: Caching binary data in place of host name information is very dangerous as many programs

expect the nameserver to return clean, valid printable information. It has been noted that many programs can be

exploited by passing invalid data via DNS responses. We query the name server for a legitimate host, and respond with

a legitimate reply containing invalid binary data. We then query the DNS server again to determine if this was cached

or not.

Signature ID: 24007

Determine if Bind 9 is running

Threat Level: Information

Nessus: 10728

Signature Description: This rule raises an event when an attempt is made to query authors.bind on DNS server.

Beginning with version of BIND 9, the authors of BIND created a new "feature" that would allow a user to query for

the authors' names. This feature is enabled by default allowing an attacker to query the DNS server and examine the

response. If the response returns the BIND authors' names, the attacker knows that the version of BIND running is 9 or

higher.<br>

Signature ID: 24008

Determine which version of BIND name daemon is running

Threat Level: Information

Nessus: 10028

Signature Description: An attacker can query a DNS server for the version of BIND running. .A response to this query

can assist an attacker in discovering servers that are potentially vulnerable to exploits associated with specific versions

of BIND.This rule raises an event when an attempt is made to query version.bind on the DNS server.<br> <br>

Signature ID: 24009

DNS Bind 8 Transaction Signatures Buffer Overflow Vulnerability

Threat Level: Warning

Industry ID: CVE-2001-0010

Bugtraq: 2302

Signature Description: Berkely Internet Name Domain (BIND) is a server program that implements the DNS protocol.

BIND versions 8.2.x are vulnerable to buffer overflow while handling Transaction Signatures (TSIG). Transaction

Signatures (TSIG) are used to provide transaction-level authentication for DNS exchanges, adding cryptographic

signatures to the messages sent to the DNS server. When a BIND server receives a request with a TSIG resource record

that contains an invalid secure key, it will bind to error processing code. The code does not check the length of the DNS

request and the number of bytes that can be written to the available memory when framing a response to the client. The

response is composed by appending an error code and a transaction signature to the existing request. The insufficient

checking results in the TSIG response being written beyond the boundaries of the allocated buffer and overwriting

adjacent memory on the stack (UDP request). This rule triggers when a specific inverse query has been performed

against a DNS server. This attempt can be treated as a precursor to exploit Transaction Signature (TSIG) buffer

overflow vulnerability. It is strongly recommended to upgrade to BIND version 9.1.0.

Signature ID: 24010

DNS Bind 8 Transaction Signatures Buffer Overflow Vulnerability

Threat Level: Warning

Industry ID: CVE-2001-0010 Bugtraq: 2302

Signature Description: Berkely Internet Name Domain (BIND) is a server program that implements the DNS protocol.