Penetration Testing mailing list archives
Re: Cybercop scanner returning false positive? IPP overflow on IIS4
From: Max Vision <vision () whitehats com>
Date: Fri, 25 May 2001 14:45:14 -0700 (PDT)
Hi, This may be the same issue was raised by Paul Cardon <paul () moquijo com> on Bugtraq a few weeks ago. He wasn't talking about Cybercop in particular, but it is likely that they suffer from the same failed testing methodology. Cybercop sends a "host:" overflow of 420 "A" characters (someone there has a sense of humor:) which is sufficiently long to trigger the overflow. However it may be too long, causing the server to stop responding. The proposed solution is to send just slightly over the trigger threshold that causes a patched server to not respond (>256 characters) yet not overflow the buffer. ipptest.pl sends 257 bytes. webexplt.pl sends 430 bytes. Paul's summary was: - If no response is returned the system has been patched. - If a 500 error is returned the server is unpatched. - If a 404 error is returned the .printer mapping has been removed. So Cybercop's new module 10091 (in mod10000.dll) is probably using the "no-response" method of testing and sending too long of a string. I don't want to publicly reverse engineer what they are doing (ahem) so I can only offer my guess. I do not know why the tests would come back differently in your two environments though. I have packet captures of the Cybercop test if anyone is interested. Max Vision http://whitehats.com/ On Fri, 25 May 2001 Colin_Kushnier () TD COM wrote:
I have a question regarding the behavior of module 10091 (newly released in update 5.5-200106?) in Cybercop 5.5 on NT4. While scanning a group of IIS4.0 servers in one environment, this module, which checks for the IIS IPP ISAPI extension buffer overflow of Microsoft bulletin <http://www.microsoft.com/technet/security/bulletin/MS01-023.asp> returns positive. According to the bulletin and my understanding of the vulnerability, it affects IIS5.0 only. Scanning IIS4.0 servers in a different environment returns no results for this module, ie. false. I haven't yet contacted NAI, I was wondering if anyone has seen similar results... Thanks, Colin
Current thread:
- Cybercop scanner returning false positive? IPP overflow on IIS4 Colin_Kushnier (May 25)
- Re: Cybercop scanner returning false positive? IPP overflow on IIS4 Max Vision (May 27)
- RE: Cybercop scanner returning false positive? IPP overflow on IIS4 Marc Maiffret (May 27)
- Re: Cybercop scanner returning false positive? IPP overflow on IIS4 Max Vision (May 27)