TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
944
Signature Description: Oracle is a widely deployed DBMS. Clients use a protocol called TNS to communicate to the
Oracle server. This protocol messages are used for session setup, authentication and data transfer. Oracle Database,
version 8i, 9i, and 10g, could allow a remote attacker with create session privileges to execute arbitrary SQL
commands. The authentication part of the TNS protocol is comprised two steps, including two different client requests
and two server responses. The first request(message code 0x76) contains only the user name while the second(message
code 0x73) contains the user name and an encrypted password. This second request also contains a list of name-value
pairs describing various attributes of the client. The value named 'AUTH_ALTER_SESSION' is intended for setting up
session attributes related to the locale and language, in the form of an ALTER SESSION SQL statement. This signature
detects when the AUTH_ALER_SESSION value used during the TNS authentication process is executed with SYS
user privileges. A remote attacker could insert SQL statements into this value during authentication. The successful
exploitation may allow an attacker to add, modify, or delete information in the database.
Signature ID: 35444
Oracle Database Server String Conversion Function Buffer Overflow Vulnerability
Threat Level: Warning
Bugtraq: 10871
Signature Description: Oracle Database Server is a commercial relational database application suite. Oracle Database
Servers, version 8i, 9i, 10g, are buffer overflow vulnerability in the TO_CHAR function. TO_CHAR function is used
to convert a number or a date to a string. This rule will trigger when an attacker sending a request to the TO_CHAR
function, with a specially crafted request to the SYSTIMESTAMP function containing a long string. The successful
exploitation may allow an attacker to overflow a buffer and cause a denial of service or execute arbitrary code on the
server.
Signature ID: 35445
Oracle Database Server MD2 package VALIDATE_GEOM procedure Buffer Overflow
Threat Level: Warning
Bugtraq: 10871
Signature Description: Oracle Database Server is a commercial relational database application suite. Oracle Database
Servers, version 8i, 9i, 10g, are a buffer overflow vulnerability. This rule will trigger when an attacker supplying a long
'LAYER' parameter to the 'VALIDATE_GEOM' function. The successful exploitation may allow an attacker to
overflow a buffer and execute arbitrary code on the system or cause the Oracle Server process to crash.
Signature ID: 35446
HP OpenView Network Node Manager Remote Command Execution vulnerability
Threat Level: Severe
Industry ID: CVE-2005-2773
Bugtraq: 14662
Signature Description: Network Node Manager (NNM) is a Hewlett Packard OpenView product which manages
networks. NNM determines and displays physical and logical connectivity in networks, as well as information
pertaining to protocols running over the network. It also allows historical data to be collected and viewed/graphed.
Network Node Manager versions 6.20, 6.4x, 7.01 and 7.50 for multiple platforms are vulnerable to code and command
injection attacks. This signature detects when an attacker pass malicious shell meta characters to the
connnectedNodes.ovpl, cdpview.ovpl, freeIPaddres.ovpl, or ecscmg.ovpl script using the "node" parameter on TCP
port 3443. The successful exploitation may allow an attacker to execute arbitrary commands and gain elevated
privileges on the system.
Signature ID: 35447
Symantec DNS Response DoS vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0445 Bugtraq: 10336