Foundstone Research Labs Advisory - Remotely Exploitable Buffer Overflow in ISS Scanner

["Marshall Beddoe" <Marshall.beddoe () foundstone com>]

Foundstone Research Labs Advisory - 091802-ISSC

Advisory Name:  Remotely Exploitable Buffer Overflow in ISS Scanner
 Release Date:  September 18, 2002
  Application:  ISS Scanner 6.2.1
    Platforms:  Windows NT/2000/XP
     Severity:  Remote code execution
      Vendors:  Internet Security Systems (http://www.iss.net) 
      Authors:  Tony Bettini (tony.bettini () foundstone com)
CVE Candidate:  CAN-2002-1122
    Reference:  http://www.foundstone.com/advisories

Overview:

The license banner HTTP check performed by ISS Scanner does not check
the
length of the data returned by the web server being tested. As a result,
a malicious host could be configured to return a long HTTP response that
causes code execution on the ISS Scanner host.

Detailed Description:

A malicious web server could be setup to return a long HTTP result code,
such that when the ISS Scanner attempts to perform a license
advertisement via an HTTP banner check, a reply is returned that
executes arbitrary code on the ISS Scanner host.

Vendor Response:

ISS has issued a fix for this vulnerability. It is included within
X-Press Update 6.17.

Solution:

We recommend applying the vendor patch.

Disclaimer:

The information contained in this advisory is copyright (c) 2002 
Foundstone, Inc. and is believed to be accurate at the time of 
publishing, but no representation of any warranty is given, 
express, or implied as to its accuracy or completeness. In no 
event shall the author or Foundstone be liable for any direct, 
indirect, incidental, special, exemplary or consequential 
damages resulting from the use or misuse of this information.  
This advisory may be redistributed, provided that no fee is 
assigned and that the advisory is not modified in any way.