TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
670
to process DNS response packets. This component is vulnerable to a stack overflow while processing the CNAME field
of a DNS response packet. By supplying an excessively long canonical name in the CNAME field of a resource record,
remote attackers could trigger a stack-based buffer overflow. Successful exploitation would enable attackers to execute
arbitrary code on an affected system with kernel level privileges. Patch is available and can be installed through
Symantec LiveUpdate.
Signature ID: 30077
MailEnable SMTP Server HELO Command Denial of Service Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-3277 Bugtraq: 18630
Signature Description: MailEnable is a mail server for Microsoft Windows available as a commercial product and as
freeware. A denial of service vulnerability exists in MailEnable Standard 1.92 and earlier, Professional 2.0 and earlier,
and Enterprise 2.0 and earlier versions. HELO command expects a domain name as an argument. In the server
implementation HELLO is the assumed word for HELO command and the length of domain name is calculated by
subtracting 7 from total length of this HELLO message (7 because it includes the newline character which comes at
end). Therefore if a null byte appears at the beginning of the argument field, the length of the domain name becomes a
negative value and an integer overflow occurs resulting in a very large value which is later used as the copy size. A
remote attacker could exploit this vulnerability by sending a HELLO message with null byte in its argument which
results in crashing the server. Apply Hotfix ME-10013, available from the MailEnable Web site.
Signature ID: 30078
AltN MDaemon Content Filter Directory Traversal Vulnerability
Threat Level: Severe
Bugtraq: 14400
Signature Description: MDaemon is a multi-protocol mail server that runs on Microsoft Windows systems. MDaemon
version 8.0.4 and possibly earlier versions could allow a remote attacker to traverse directories on the Web server
caused by improper validation of user-supplied input in the content filter. If the file attachment quarantine is enabled, a
remote attacker could send a specially-crafted email containing a virus-infected attachment with "dot dot" sequences
(/../) in the file name to traverse directories and write files to arbitrary directories on the system. A new version of
MDaemon is available 8.1.0 or later. Upgrade to the newer version.
Signature ID: 30079
ISS Protocol Analysis Module (PAM) ICQ Server Response Parsing Buffer Overflow
Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-0362
Bugtraq: 9913
Signature Description: The Protocol Analysis Module (PAM) in ISS products is vulnerable to a buffer overflow while
parsing the ICQ server response message. A UDP packet with a source port of 4000 is handled by the PAM as an ICQ
server response message. If an attacker sends a specially crafted UDP packet that originates with a source port of 4000,
they may be able to execute arbitrary code. An Internet worm called "Witty" exploits this vulnerability in RealSecure
and BlackICE products on Windows systems. ISS have released patches for this issue.
Signature ID: 30080
OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-3738
CVE-2007-5135 Bugtraq: 20249
Signature Description: OpenSSL is an open source implementation of the SSL protocol. A remotely exploitable buffer
overflow vulnerability exists in OpenSSL versions 0.9.7-0.9.8. The vulnerability specifically exists in the function
SSL_Get_Shared_Ciphers function which extracts the cipher codes from the ClientHello message. A remote attacker