Signature Detail

HTTP: Generic No-Op Slide Request Overflow

This signature detects attempts to exploit a known vulnerability against Web servers on Intel x86 platforms. Attackers can use the "No-Op Slide" attack to pad the stack with "No Operation" x86 CPU instructions and overwrite the return address. A successful attack might allow arbitrary code execution.

Extended Description

Versions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa. SnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap. SnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately.

Affected Products

• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8 Sparc
• Sun Solaris 8 X86

References

• BugTraq: 2417
• CVE: CVE-2001-0236
• URL: http://www.security-forums.com/forum/viewtopic.php?p=190843
• URL: http://www.sans.org/resources/idfaq/polymorphic_shell.php
• URL: http://encyclopedia.thefreedictionary.com/NOP