[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Thu Aug 18 15:05:56 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious
vulnerabilities affecting Veritas Backup Agent for Windows and Novell
ZenWorks.

Details:
A vulnerability exists in Veritas Backup Exec Agent for Windows. This
software uses Network Data Management Protocol (NDMP) to communicate
between clients and servers.  Authentication is required to
successfully connect. A default user and MD-5 password hash can be used
when MD-5 authentication is selected for a NDPM CONNECT_CLIENT_AUTH
command to the server.

A Rule to provide coverage against attacks targeting this vulnerability
is included in this rule pack and is identified as sid 4126.

Novell ZenWorks Remote Management Agent suffers from a programming
error that may allow a remote and unauthenticated attacker to access
memory space to the extent that it may be possible to execute code of
their choosing and take control of a vulnerable system.

Rules to provide coverage against attacks targeting this vulnerability
are included in this rule pack and are identified as sids 4129 and
4130.

Additionally the Sourcefire VRT would like to thank snort sigs poster
"rmkml" for the ton of reference updates and other rule updates provided
over the last couple of weeks.

Note:
In order to use the Novell ZenWorks rules correctly, port 1761 must be
added to the stream4_reassemble line in the snort configuration file.

New rules:
4126 - EXPLOIT Veritas Backup Exec root connection attempt using
default password hash (exploit.rules)
4127 - EXPLOIT Novell eDirectory Server iMonitor overflow attempt
(exploit.rules)
4128 - WEB-CGI 4DWebstar ShellExample.cgi information disclosure
(web-cgi.rules)
4129 - EXPLOIT Novell ZenWorks Remote Management Agent large login
packet DoS attempt (exploit.rules)
4130 - EXPLOIT Novell ZenWorks Remote Management Agent Buffer Overflow
Attempt (exploit.rules)
4131 - EXPLOIT SHOUTcast URI format string attempt (exploit.rules)
4132 - WEB-CLIENT msdds clsid attempt (web-client.rules)
4133 - WEB-CLIENT devenum clsid attempt (web-client.rules)
4134 - WEB-CLIENT blnmgr clsid attempt (web-client.rules)
4135 - WEB-CLIENT IE JPEG heap overflow single packet attempt
(web-client.rules)
4136 - WEB-CLIENT IE JPEG heap overflow multipacket attempt
(web-client.rules)

Updated rules:
1652 - WEB-CGI campas attempt (web-cgi.rules)
2671 - WEB-CLIENT bitmap BitmapOffset integer overflow attempt
(web-client.rules)
3192 - WEB-CLIENT Windows Media Player directory traversal via
Content-Disposition attempt (web-client.rules)
3685 - WEB-CLIENT bitmap BitmapOffset multipacket integer overflow
attempt (web-client.rules)

Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDBQXjMnMRC51b9Y4RAhqHAKCB3gZ0WMp+ayNeKKYghcrhfqCtMQCfWo1v
oP6W1W0G0NunZFO+jFIyhgY=
=G2oD
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list