TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
922
overwrite arbitrary files on the system. Remote attacker can send a specially-crafted desname parameter to overwrite
any files on the application server. Apply the critical patch update released in Jan 2006 by Oracle. This signature
detects attacks using %HH encoding and attack packets sending to the range of 7777-7787.
Signature ID: 35311
Novell Netmail IMAP Verb Literal Heap Overflow Vulnerability
Threat Level: Severe
Signature Description: Novell NetMail is an ISP-grade E-Mail package by Novell, Inc. Novell NetMail 3.52 and
earlier are vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the IMAP service
imapd. IMAP protocol specifies a method called command continuation to allow string exchanges between server and
client that contain the end of line characters as well as space characters without the limitations imposed by the normal
parameter passing methods. Negetive values are not allowed here. By sending a specially-crafted command
continuation request appended to IMAP verbs, a remote attacker could overflow a buffer and execute arbitrary code on
the system or cause the application to crash. Novell has issued an update to correct this vulnerability. Users are advised
to install this update.
Signature ID: 35312
ISS Protocol Analysis Module (PAM) ICQ Server Response Parsing Buffer Overflow
Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-0362 Bugtraq: 9913
Signature Description: The Protocol Analysis Module (PAM) in ISS products is vulnerable to a buffer overflow while
parsing the ICQ server response message. If an attacker sends a specially crafted UDP packet, they may be able to
execute arbitrary code. An Internet worm called "Witty" exploits this vulnerability in RealSecure and BlackICE
products on Windows systems. ISS have released patches for this issue. This rule hits when an attack pattern towards
the destination port 5190 found.
Signature ID: 35313
ISS Protocol Analysis Module (PAM) ICQ Server Response Parsing Buffer Overflow
Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-0362
Bugtraq: 9913
Signature Description: The Protocol Analysis Module (PAM) in ISS products is vulnerable to a buffer overflow while
parsing the ICQ server response message. If an attacker sends a specially crafted UDP packet, they may be able to
execute arbitrary code. An Internet worm called "Witty" exploits this vulnerability in RealSecure and BlackICE
products on Windows systems. ISS have released patches for this issue. This rule hits for the attack pattern towards the
destination port 3000.
Signature ID: 35314
Oracle Application Server Web Cache DoS Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-0385
Bugtraq: 9868 Nessus: 12126
Signature Description: The Oracle Web Cache is useful for caching static and dynamic content generated from Oracle
Application web servers thus reducing the bandwidth usage, server load. The Oracle9i Application Server Web Cache
versions 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 are vulnerable to a Denial of Service attack. The vulnerability
exists in how the Oracle Web Cache handles HTTP request headers. If a header within the request contains a NULL
byte, the Web Cache will not log the request to any of its logs and the server will keep the connection open with the
client until it has timed out. This can lead to a denial of service, by means of exceeding the limit upon the number of
simultaneous connections supported by the Web Cache. Oracle has released a patch to address this vulnerability that is