TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
664
CCM default installation directory. A remote attacker can reboot the system by executing the command radbootw.exe
which is present in that directory or a file can be generated by using radexecd.exe (present in same directory) which
later can be executed in similar way. The attacker can execute commands within the security context of the of the Radia
Notify Daemon, which is System by default. Administrators are advised to upgrade to the latest version of HP
OpenView Client Configuration Manager (version 2.0 or later).
Signature ID: 30054
Novell eDirectory HTTP Server Redirection Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-5478 Bugtraq: 20655
Signature Description: Novell eDirectory iMonitor is a service for monitoring servers in an eDirectory installation.
Novell eDirectory 8.8.x before 8.8.1 FTF1, and 8.x up to 8.7.3.8 are vulnerable to a stack based buffer overflow. The
vulnerability specifically exists in httpstk.dll library in windows and libhttpstk.so.1.0.0 on Linux/Unix systems. The
iMonitor HTTP server listens on multiple ports including TCP port 8028 as the default port. Requests that were made
to the resources /dhost and /nds are redirected to HTTPS ports by the iMonitor server so that any responses for these
requests will be transmitted by encrypted communication. While constructing the redirection URL, user provided
hostname portion in the Host header is copied to a fixed size stack buffer of 64 bytes. A remote attacker could leverage
this issue by constructing a malicious request with long 'Host' HTTP header. Successful exploitation could result in
execution of arbitrary code with the privileges of the user running the HTTP server. Install the patch as listed in Novell
Technical Information Document 2974600.
Signature ID: 30055
Novell eDirectory HTTP Server Redirection Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-5478 Bugtraq: 20655
Signature Description: Novell eDirectory iMonitor is a service for monitoring servers in an eDirectory installation.
Novell eDirectory 8.8.x before 8.8.1 FTF1, and 8.x up to 8.7.3.8 are vulnerable to a stack based buffer overflow. The
vulnerability specifically exists in httpstk.dll library in windows and libhttpstk.so.1.0.0 on Linux/Unix systems. The
iMonitor HTTP server listens on multiple ports including TCP port 8008 as the default port. Requests that were made
to the resources /dhost and /nds are redirected to HTTPS ports by the iMonitor server so that any responses for these
requests will be transmitted by encrypted communication. While constructing the redirection URL, user provided
hostname portion in the Host header is copied to a fixed size stack buffer of 64 bytes. A remote attacker could leverage
this issue by constructing a malicious request with long 'Host' HTTP header. Successful exploitation could result in
execution of arbitrary code with the privileges of the user running the HTTP server. Install the patch as listed in Novell
Technical Information Document 2974600.
Signature ID: 30056
Novell eDirectory MS-Dos Device Name Denial of Service Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-1729
Signature Description: Novell eDirectory is a software package that uses a Lightweight Directory Access Protocol
(LDAP) directory service for integrating enterprise and eBusiness programs. Novell eDirectory version 8.7.3 and
possibly earlier versions running on Micrsoft Windows are vulnerable to a denial of service attack caused by a NULL
pointer dereference when handling HTTP requests. By sending a specially-crafted HTTP request for reserved MS-DOS
device names such as AUX, CON, PRN, COM1, LPT1 etc., a remote attacker could cause the service to crash. User are
advised to upgrade to the latest version of Novell eDirectory (8.7.3 or later) available from the Novell eDirectory
Support Web page. This rule hits when the attack pattern found towards 8008 destination port.