Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 925

FTP:WU-FTP:REALPATH-OF2
HTTP:3COM:3COM-PASS-LEAK
HTTP:3COM:ADMIN-LOGOUT
HTTP:3COM:CONF-DOWNLOAD
HTTP:3COM:LOG-CLEAN
HTTP:APACHE:APACHE-BADIPV6
HTTP:APACHE:APACHE-BADIPV6-2
HTTP:APACHE:CHUNKED-WORM
Copyright © 2010, Juniper Networks, Inc.
This signature detects buffer overflow attempts against the
realpath() function in Wu-ftpd, a software package that
provides File Transfer Protocol (FTP) services for UNIX and
Linux systems. Wu-ftpd version 2.5.0 and earlier are
vulnerable. Attackers may send a maliciously crafted FTP
pathname to overflow a buffer in realpath() and execute
arbitrary commands with administrator privileges.
This signature detects attempts to access a 3COM wireless
router web page that contains sensitive administrative
information. No authentication is required to access this
page.
This signature detects direct requests to the logout web
service on a 3Com 3crwe754g72-a based device. Attackers
that are spoofing a 3Com administrator's IP address may
call the logout application to force the administrator to
logout.
This signature detects attempts to download the
configuration file from a 3Com 3crwe754g72-a based device.
Attackers may use the sensitive information obtained from
the configuration file to gain full control over the device.
This signature detects attempts to cause a 3Com
3crwe754g72-a based device to clear its logs. Attackers may
use spoofed IP address to send a log clear request without
authenticating.
This signature detects attempts to exploit a vulnerability in
Apache Web server. All Apache servers on all platforms
running version Apache 2.0.50 and earlier are vulnerable.
Using apr-util, attackers may include a crafted IPv6 literal
address within an HTTP request to an Apache v2 server to
cause the Apache child process to quit. On BSD systems,
attackers may also be able to execute arbitrary code.
This signature detects attempts to exploit a vulnerability in
Apache Web server. All Apache servers on all platforms
running version Apache 2.0.50 and earlier are vulnerable.
Using apr-util, attackers may include a crafted IPv6 literal
address within an HTTP request to an Apache v2 server to
cause the Apache child process to quit. On BSD systems,
attackers may also be able to execute arbitrary code.
This signature detects attempts to infect Apache Web
servers with the Apache Worm. Apache versions 1.3.26,
2.0.38 and prior are vulnerable. Apache improperly calculates
required buffer sizes for chunked encoded requests due to
a signed interpretation of an unsigned integer value. The
worm sends POST requests containing malicious chunked
encoded data to exploit the Apache daemon.
Appendix E: Log Entries
critical sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
info sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
critical sos5.1.0
875