Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

FW: [Customerconnect] Important Information re: Internet Scanner 6.2.1 (fwd)

From: hellnbak () nmrc org (hellNbak)
Date: Wed, 18 Sep 2002 13:12:59 -0400 (EDT)
Credit for this find belongs with Foundstone. Typical of ISS to release
their own advisory not giving proper credit.  heh, even on their own
products.

I also think that they downplay this a little.  I am sure no one here has
not seen "ISSCRACK" or "ISSKEYGEN" so its safe to say that ISS Scanner can
easily be used by the kiddies to scan boxes - I have IDS logs to prove
that it happens to at least one person.  :-)


From the Foundstone advisory

http://www.foundstone.com/knowledge/advisories-display.html?id=336

it appears that you simply need to craft some funky asses long HTTP
responses.  Does anyone have additional information on this one?  It would
be nice to incorporate this into web boxes and essentially defend against
ISS Scanner being used.


-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

---------- Forwarded message ----------
Subject: FW: [Customerconnect] Important Information re: Internet Scanner
    6.2.1



        -----Original Message-----
        From: ISS Customer Relations [mailto:bpq () iss net]
        Sent: Wed 9/18/2002 9:47 AM
        To: customerconnect () iss net
        Cc:
        Subject: [Customerconnect] Important Information re: Internet Scanner 6.2.1



        September 18, 2002

        Dear ISS Customer,

        Internet Security Systems (ISS) has become aware of an issue with Internet
        Security Systems' Internet Scanner 6.2.1 that may potentially allow the
        scanning application to be crashed by a malicious web server. ISS has
        developed a fix for this issue, and it is available now.

        It is possible for an attacker to cause Internet Scanner to crash by
        setting up a malicious web server. When Internet Scanner scans the
        malicious web server, the script will cause a buffer overflow that crashes
        the scanning application. It may also be possible for attackers to
        formulate a specific response to execute arbitrary code on the Scanner
        host. However, this has not been demonstrated in the ISS labs or in the wild.

        ISS considers this issue low risk since (1) it requires a malicious web
        server to be set up, and (2) potential attackers are limited to trusted
        systems on your network scanned by Internet Scanner. Intruders outside of
        the scanned systems cannot exploit this issue.

        This flaw affects Internet Scanner version 6.2.1 for Windows NT 4
        Professional SP 6a and Windows 2000 Professional SP 2.

        Internet Security Systems has developed a fix for this bug, which is
        included in the X-Press Update (XPU) 6.17. The XPU is available now at
        http://www.iss.net/download, or it can be downloaded and installed using
        the Internet Scanner X-Press Update Installer. The XPU also includes a
        check (MalformedHttpStatusResponse) to assist you in identifying systems
        that are mis-configured and could exploit the flaw.

        More detailed information about the issue is provided below. If you have
        any questions about this issue or need help applying the X-Press Update,
        please contact your ISS technical support by calling 888-447-4861 or
        404-236-2700. We can also be reached by e-mail at support () iss net.

        Thank you and best regards,

        Sally Foster
        VP, Customer Support

        *****************
        SUMMARY

        Internet Scanner contains a flaw that may lead to incorrect parsing of Web
        server response messages. If a Web server is specifically configured to
        provide a non-standard response to a Web request, this response may be
        mis-handled. If Internet Scanner receives such a response it, it may crash.
        It may also be possible for attackers to formulate a specific response to
        execute arbitrary code on the Scanner host.

        Mitigating Factors: For successful exploitation of this flaw to take place,
        an attacker must configure a Web server to deliver non-standard responses
        to normal HTTP requests. This Web server must be a system that is within
        the IP-range specified in the license key for Internet Scanner. Internet
        Scanner must then assess the host with the non-standard configuration for
        the exploit to be successful. In the event of a crash, results from hosts
        scanned by Internet Scanner before the crash are still saved to the
        Internet Scanner database.


        _______________________________________________
        Customerconnect mailing list
        Customerconnect () iss net
Previous By Date Next
Previous By Thread Next

Current thread: