TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

891

892

893

894

895

896

897

898

899

900

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

895

Signature ID: 35168

Apache scoreboard shared memory and DoS attacks

Threat Level: Severe

Signature Description: The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any

user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service

(process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and

parent[].last_rtime segments in the scoreboard.

Signature ID: 35169

Mozilla Gecko view-source attack

Threat Level: Severe

Signature Description: Konqueror 3.5.5 allows remote attackers to spoof the address bar and possibly conduct phishing

attacks via a long hostname, which is truncated after a certain number of characters, as demonstrated by a phishing

attack using HTTP Basic Authentication. Gecko engine is developed by Mozilla Foundation. Gecko's function is to

read web content, such as HTML, CSS, XUL, and JavaScript, and render it on user's screen or print it. Attackers can

view the source of original URL by modifying .href property of style sheet DOM nodes to the final URI of a 302

redirect.

Signature ID: 35200

SAP MaxDB Remote Arbitrary Commands Execution Vulnerability

Threat Level: Severe

Industry ID: CVE-2008-0244 Bugtraq: 27206

Signature Description: SAP MaxDB is the database management system developed and supported by SAP AG. SAP

MaxDB is available on Microsoft Windows, Linux and Unix, and for the most prominent hardware platforms. It is able

to run terabyte-range data in continuous operation. SAP MaxDB 7.6.03 build 007 and prior are vulnerable to the remote

code execution. The MaxDB server executes "cons.exe DATABASE COMMAND" through system() when some

special commands are called by the user. When user uses system() for executing the cons program, it allows an external

unauthenticated attacker to execute any command he wants on the target SAP MaxDB server simply by passing the

"&&" or other patterns for the execution of multiple commands in the shell. Still no patch details are available to

resolve this issue. This signature detects attack traffic with db_enum, dbm_setpath,inst_unreg,trace_protopt, user_logon

commands.

Signature ID: 35201

IBM Tivoli Provisioning Manager for OS Deployment HTTP Server Buffer Overflow

Vulnerability

Threat Level: Severe

Industry ID: CVE-2008-0401

Bugtraq: 27387

Signature Description: IBM Corp.'s Tivoli Provisioning Manager for OS Deployment is a network boot server that

facilitates central management of networked workstations. It implements reboot Execution Environment (PXE), a Web-

based administration service, DHCP, TFTP, and several additional protocols. IBM Tivoli Provisioning Manager for OS

Deployment version 5.1.0.3 and prior versions are vulnerable to the denial of service attack. The vulnerability is caused

due to a boundary error within the logging functionality of the web server component. By sending a specially crafted

request with an overly large HTTP request method to a victim system to TCP port 443 or to TCP port 80 user can

potentially compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code in the

victim system. Vendor has provided patches ti resolve this issue.