Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: hellNbak (hellnbak_at_nmrc.org)
Date: Wed Sep 18 2002 - 12:12:59 CDT
Credit for this find belongs with Foundstone. Typical of ISS to release
their own advisory not giving proper credit. heh, even on their own
I also think that they downplay this a little. I am sure no one here has
not seen "ISSCRACK" or "ISSKEYGEN" so its safe to say that ISS Scanner can
easily be used by the kiddies to scan boxes - I have IDS logs to prove
that it happens to at least one person. :-)
From the Foundstone advisory
it appears that you simply need to craft some funky asses long HTTP
responses. Does anyone have additional information on this one? It would
be nice to incorporate this into web boxes and essentially defend against
ISS Scanner being used.
"I don't intend to offend, I offend with my intent"
---------- Forwarded message ---------- Subject: FW: [Customerconnect] Important Information re: Internet Scanner 6.2.1
-----Original Message----- From: ISS Customer Relations [mailto:bpqiss.net] Sent: Wed 9/18/2002 9:47 AM To: customerconnectiss.net Cc: Subject: [Customerconnect] Important Information re: Internet Scanner 6.2.1
September 18, 2002
Dear ISS Customer,
Internet Security Systems (ISS) has become aware of an issue with Internet Security Systems' Internet Scanner 6.2.1 that may potentially allow the scanning application to be crashed by a malicious web server. ISS has developed a fix for this issue, and it is available now.
It is possible for an attacker to cause Internet Scanner to crash by setting up a malicious web server. When Internet Scanner scans the malicious web server, the script will cause a buffer overflow that crashes the scanning application. It may also be possible for attackers to formulate a specific response to execute arbitrary code on the Scanner host. However, this has not been demonstrated in the ISS labs or in the wild.
ISS considers this issue low risk since (1) it requires a malicious web server to be set up, and (2) potential attackers are limited to trusted systems on your network scanned by Internet Scanner. Intruders outside of the scanned systems cannot exploit this issue.
This flaw affects Internet Scanner version 6.2.1 for Windows NT 4 Professional SP 6a and Windows 2000 Professional SP 2.
Internet Security Systems has developed a fix for this bug, which is included in the X-Press Update (XPU) 6.17. The XPU is available now at http://www.iss.net/download, or it can be downloaded and installed using the Internet Scanner X-Press Update Installer. The XPU also includes a check (MalformedHttpStatusResponse) to assist you in identifying systems that are mis-configured and could exploit the flaw.
More detailed information about the issue is provided below. If you have any questions about this issue or need help applying the X-Press Update, please contact your ISS technical support by calling 888-447-4861 or 404-236-2700. We can also be reached by e-mail at supportiss.net.
Thank you and best regards,
Sally Foster VP, Customer Support
Internet Scanner contains a flaw that may lead to incorrect parsing of Web server response messages. If a Web server is specifically configured to provide a non-standard response to a Web request, this response may be mis-handled. If Internet Scanner receives such a response it, it may crash. It may also be possible for attackers to formulate a specific response to execute arbitrary code on the Scanner host.
Mitigating Factors: For successful exploitation of this flaw to take place, an attacker must configure a Web server to deliver non-standard responses to normal HTTP requests. This Web server must be a system that is within the IP-range specified in the license key for Internet Scanner. Internet Scanner must then assess the host with the non-standard configuration for the exploit to be successful. In the event of a crash, results from hosts scanned by Internet Scanner before the crash are still saved to the Internet Scanner database.
_______________________________________________ Customerconnect mailing list Customerconnectiss.net
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html