Signature Detail

SHELLCODE: x86 Intel Architecture Instruction Set NOOP Slide (TCP-CTS)

This signature detects attempts to exploit a known vulnerability against an x86 system. Attackers can send long strings of NOOPs to overflow the buffer and gain root access. To properly use this signature in your policy, override the default service binding to the services you wish to protect.

Extended Description

The libc library includes functions which perform DNS lookups. A buffer overflow vulnerability has been reported in versions of libc used by some operating systems. In particular, FreeBSD, NetBSD, OpenBSD and GNU glibc have been reported to suffer from this issue. The vulnerable code is related to DNS queries. It may be possible for a malicious DNS server to provide a response which will exploit this vulnerability, resulting in the execution of arbitrary code as the vulnerable process. The consequences of exploitation will be highly dependant on the details of individual applications using libc.

Affected Products

• Astaro Security Linux 2.0.0 16
• Astaro Security Linux 2.0.0 23
• Astaro Security Linux 2.0.0 24
• Astaro Security Linux 2.0.0 25
• Astaro Security Linux 2.0.0 26
• Cray UNICOS 8.0.0
• Cray UNICOS 8.3.0
• Cray UNICOS 9.0.0
• Cray UNICOS 9.0.2 .5
• Cray UNICOS 9.2.0
• Cray UNICOS 9.2.0 .4
• FreeBSD 4.3.0
• FreeBSD 4.3.0 -RELEASE
• FreeBSD 4.3.0 -RELENG
• FreeBSD 4.3.0 -STABLE
• FreeBSD 4.4.0
• FreeBSD 4.4.0 -RELENG
• FreeBSD 4.4.0 -STABLE
• FreeBSD 4.5.0
• FreeBSD 4.5.0 -RELEASE
• FreeBSD 4.5.0 -STABLE
• FreeBSD 4.6.0
• FreeBSD 4.6.0 -RELEASE
• FreeBSD 5.0.0
• FreeBSD 5.0.0 Alpha
• GNU glibc 2.0.0
• GNU glibc 2.0.1
• GNU glibc 2.0.2
• GNU glibc 2.0.3
• GNU glibc 2.0.4
• GNU glibc 2.0.5
• GNU glibc 2.0.6
• GNU glibc 2.1.0
• GNU glibc 2.1.1
• GNU glibc 2.1.1 -6
• GNU glibc 2.1.2
• GNU glibc 2.1.3
• GNU glibc 2.1.3 -10
• GNU glibc 2.1.9 And Greater
• GNU glibc 2.2.0
• GNU glibc 2.2.1
• GNU glibc 2.2.2
• GNU glibc 2.2.3
• GNU glibc 2.2.4
• GNU glibc 2.2.5
• HP Color LaserJet 4600
• HP colour LaserJet 4550
• HP Digital Sender 9100C
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 10.24.0
• HP HP-UX 11.0.0
• HP HP-UX 11.0.0 4
• HP HP-UX 11.11.0
• HP HP-UX 11.22.0
• HP JetDirect J4167A
• HP JetDirect J4169A
• HP JetDirect J6035A
• HP JetDirect J6038A
• HP JetDirect J6039A
• HP JetDirect J6042A
• HP JetDirect J6057A
• HP JetDirect J6058A
• HP JetDirect J6061A
• HP LaserJet 4100
• HP LaserJet 4100MFP
• HP LaserJet 9000MFP
• IBM AIX 4.3.0
• IBM AIX 5.1
• ISC BIND 4.9.0
• ISC BIND 4.9.3
• ISC BIND 4.9.4
• ISC BIND 4.9.5
• ISC BIND 4.9.6
• ISC BIND 4.9.7
• ISC BIND 4.9.8
• ISC BIND 8.1.0
• ISC BIND 8.1.1
• ISC BIND 8.1.2
• ISC BIND 8.2.0
• ISC BIND 8.2.1
• ISC BIND 8.2.2
• ISC BIND 8.2.2 P1
• ISC BIND 8.2.2 P2
• ISC BIND 8.2.2 P3
• ISC BIND 8.2.2 P4
• ISC BIND 8.2.2 P5
• ISC BIND 8.2.2 P6
• ISC BIND 8.2.2 P7
• ISC BIND 8.2.3
• ISC BIND 8.2.4
• ISC BIND 8.2.5
• ISC BIND 9.2.0
• ISC BIND 9.2.1
• NetBSD 1.4.0
• NetBSD 1.4.0 Alpha
• NetBSD 1.4.0 arm32
• NetBSD 1.4.0 SPARC
• NetBSD 1.4.0 x86
• NetBSD 1.4.1
• NetBSD 1.4.1 Alpha
• NetBSD 1.4.1 arm32
• NetBSD 1.4.1 sh3
• NetBSD 1.4.1 SPARC
• NetBSD 1.4.1 x86
• NetBSD 1.4.2
• NetBSD 1.4.2 Alpha
• NetBSD 1.4.2 arm32
• NetBSD 1.4.2 SPARC
• NetBSD 1.4.2 x86
• NetBSD 1.4.3
• NetBSD 1.5.0
• NetBSD 1.5.0 Sh3
• NetBSD 1.5.0 X86
• NetBSD 1.5.1
• NetBSD 1.5.2
• NetBSD 1.5.3
• OpenBSD 2.7.0
• OpenBSD 2.8.0
• OpenBSD 2.9.0
• OpenBSD 3.0
• OpenBSD 3.1
• SCO Open Server 5.0.5
• SCO Open Server 5.0.6
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8 Sparc
• Sun Solaris 8 X86
• Sun Solaris 9 Sparc

References

• BugTraq: 5100
• CVE: CVE-2002-0651
• URL: http://www.kb.cert.org/vuls/id/542971