|
|
|
|
| |
| A flaw in Foundstone Fscan could result in a malicious service banner overwriting the stack and the EIP on the PC performing the scanning. |
| |
Credit:
The information has been provided by Peter Gr?ndl.
|
| |
Vulnerable systems:
- Foundstone Fscan version 1.12 for Windows
Immune systems:
- Foundstone Fscan version 1.14 for Windows
If banner grabbing is turned on, Fscan will print the banner string directly instead of using format placers (%s). This will cause any %'s in the banner to be interpreted as format placers.
This issue is probably best clarified using a worst-case scenario:
- Attacker has taken over a host on a network.
- Attacker has set up a service on "his" host that returns a malformed banner.
- Admin uses Fscan to sweep his network on a regular basis.
- Admin scans Attacker's PC with banner grabbing on to check for abnormal services.
- When Admin scans the malicious service, his Fscan is "attacked"
- Attacker has now overwritten the stack and the EIP on Administrator's own PC in the security context Admin was using when he was scanning.
Vendor response:
The vendor was contacted on the 14th of April, 2002. The vendor identified the problem as a format string bug. On the 17th of April, 2002 we received a new version of Fscan that solved the issue. On the 18th of April, 2002 the vendor put that version online for download.
Corrective action:
The vendor has corrected the issue and put version 1.14 online: http://www.foundstone.com/knowledge/proddesc/fscan.html
|
|
|
|
|
