OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (pgrundlkpmg.dk)
Date: Fri Apr 19 2002 - 04:19:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------------------------------------

    Title: Foundstone Fscan Format String Bug

    BUG-ID: 2002014
    Released: 19th Apr 2002
    --------------------------------------------------------------------

    Problem:
    ========
    A flaw in Foundstone Fscan could result in a malicious service
    banner overwriting the stack and the EIP on the PC performing the
    scanning.

    Vulnerable:
    ===========
    - Foundstone Fscan 1.12 for Windows

    Details:
    ========
    If banner grabbing is turned on, Fscan will print the banner string
    directly instead of using format specifiers (%s). This will cause
    any %'s in the banner to be interpreted as format specifiers.

    This issue is probably best clarified using a worst case scenario:

    - Attacker has taken over a host on a network.
    - Attacker has set up a service on "his" host that returns a
      malformed banner.
    - Admin uses Fscan to sweep his network on a regular basis.
    - Admin scans Attacker's PC with banner grabbing on to check for
      abnormal services.
    - When Admin scans the malicious service, his Fscan is "attacked"
    - Attacker has now overwritten the stack and the EIP on Admin's
      own PC in the security context Admin was using when he was
      scanning.

    More Information:
    =================
    Guardent has published a small whitepaper on Format String Attacks:
    http://www.guardent.com/docs/FormatString.PDF

    Vendor URL:
    ===========
    You can visit the vendors webpage here: http://www.foundstone.com

    Vendor response:
    ================
    The vendor was contacted on the 14th of April, 2002. The vendor
    identified the problem as a format string bug. On the 17th of April,
    2002 I received a new version of Fscan that solved the issue. On the
    18th of April, 2002 the vendor put that version online for download.

    Corrective action:
    ==================
    The vendor has corrected the issue and put version 1.14 online:
    http://www.foundstone.com/knowledge/proddesc/fscan.html

    Author: Peter Gründl (pgrundlkpmg.dk)

    --------------------------------------------------------------------
    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.
    --------------------------------------------------------------------