TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
684
Messenger, IRC, Novell GroupWise Messenger, Bonjour, Jabber, and Skype networks. The AOL Instant Messenger
(AIM) protocol handler in Cerulean Studios Trillian version 3.1.6.0 and prior are vulnerable to a buffer overflow while
handling aim:// URIs. The vulnerability is due to improper handling of a long aim:// URI in aim.dll. By persuading a
victim to open a specially-crafted aim:// URI inside a Web browser, a remote attacker could overflow a buffer and
execute arbitrary code on the system with the privileges of the victim, once the malicious URI is passed to the Trillian
Instant Messenger client. Upgrade to version 3.1.7.0 or later.
Signature ID: 30309
GNU Mailutils Imap4D Command Tag Format String Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1523
Bugtraq: 13764
Signature Description: GNU Mailutils is a collection of mail-related utilities for Unix like operating systems. GNU
Mailutils versions 0.5 and 0.6 imap4d is prone to a remote format string handling vulnerability. The vulnerability
specifically exists in the handling of the command tag supplied by the remote user. Input specified in the form of
command tag will be used to generate another format string in vulnerable versions of Imap4D. A remote attacker could
send a specially-crafted command tag containing format string specifiers such as %n or %p to execute arbitrary code or
cause the system to crash. Upgrade to the latest version of GNU Mailutils 0.6.90 or later.
Signature ID: 30310
IMAP SEARCH Command Literal Overflow Attempt
Threat Level: Severe
Signature Description: IMAP SEARCH command searches the mailbox for messages that match the given searching
criteria. This rule triggers when an attempt is made to exploit a buffer overflow associated with an IMAP product by
using SEARCH command and making use of Literal. When command continuation request is allowed by server
command data can be transmitted by making use of literals. A literal is a sequence of zero or more octets (including CR
and LF), prefix-quoted with an octet count in the form of an open brace ("{"), the number of octets, close brace ("}"),
and CRLF. In this case the LSUB command is sent by the client by specifying a large literal value. Once the command
continuation request comes from the server, client sends Literal value (no. of octets) - 2 amount of data to the server.
Since the arguments of SEARCH command will never be that large, this can be considered as an attack.
Signature ID: 30311
Motorola Timbuktu Pro Directory Traversal Vulnerability
Threat Level: Severe
Industry ID: CVE-2007-4220 Bugtraq: 25453
Signature Description: Timbuktu is a remote control software product developed by Netopia currently acquired by
Motorola. Timbuktu Pro version 8.6.3.1367 and possibly prior versions are vulnerable to a directory traversal via
malicious 'send' requests. When handling 'send' requests, Timbuktu does not properly check for directory traversal
specifiers such as ../ thus allowing a remote attacker to write files outside the intended location. Deletion of files is also
possible by sending a file with same file name and tearing down the connection before transmission is complete. Since
the attacker can delete and create arbitrary files with SYSTEM privileges, they are able to write to important system
files such as libraries, or start up files that will result in arbitrary code execution. Upgrade to version 8.6.5 of Timbuktu
Pro for Windows. This signature specifically detects if an attacker could send "File:" pattern along with ../ pattern in
send request.
Signature ID: 30312
Motorola Timbuktu Pro Send Request Directory Traversal Vulnerability
Threat Level: Severe
Industry ID: CVE-2007-4220
Bugtraq: 25453
Signature Description: Timbuktu is a remote control software product developed by Netopia currently acquired by