[NT] Foundstone Fscan Format String Bug
From: support@securiteam.comDate: 04/19/02
- Previous message: support@securiteam.com: "[NT] Microsoft Distributed Transaction Coordinator DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 19 Apr 2002 19:28:48 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Foundstone Fscan Format String Bug
------------------------------------------------------------------------
SUMMARY
A flaw in <http://www.Foundstone.com> Foundstone Fscan could result in a
malicious service banner overwriting the stack and the EIP on the PC
performing the scanning.
DETAILS
Vulnerable systems:
- Foundstone Fscan version 1.12 for Windows
Immune systems:
- Foundstone Fscan version 1.14 for Windows
If banner grabbing is turned on, Fscan will print the banner string
directly instead of using format placers (%s). This will cause any %'s in
the banner to be interpreted as format placers.
This issue is probably best clarified using a worst-case scenario:
- Attacker has taken over a host on a network.
- Attacker has set up a service on "his" host that returns a malformed
banner.
- Admin uses Fscan to sweep his network on a regular basis.
- Admin scans Attacker's PC with banner grabbing on to check for abnormal
services.
- When Admin scans the malicious service, his Fscan is "attacked"
- Attacker has now overwritten the stack and the EIP on Administrator's
own PC in the security context Admin was using when he was scanning.
Vendor response:
The vendor was contacted on the 14th of April, 2002. The vendor identified
the problem as a format string bug. On the 17th of April, 2002 we received
a new version of Fscan that solved the issue. On the 18th of April, 2002
the vendor put that version online for download.
Corrective action:
The vendor has corrected the issue and put version 1.14 online:
<http://www.foundstone.com/knowledge/proddesc/fscan.html>
http://www.foundstone.com/knowledge/proddesc/fscan.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Microsoft Distributed Transaction Coordinator DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
