Re: Remote exploitation of network scanners?

[Marc Maiffret <marc () eeye com>]

Yup... exploiting scanners, or any security product really, definitely can
happen.

An example of how an older version of Internet Security Scanner was
exploited, can be found here:

http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-12-1&ms
g=Pine.BSD.4.00.9812032016220.8681-100000 () l0pht com

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com


| -----Original Message-----
| From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
| Lincoln Yeoh
| Sent: Friday, August 25, 2000 8:57 AM
| To: VULN-DEV () SECURITYFOCUS COM
| Subject: Remote exploitation of network scanners?
|
|
| Hi people!
|
| I wonder if the many popular scanners out there are written securely - so
| that they themselves cannot be exploited.
|
| It seems to me that many of these programs are written as a "proof of
| concept" or as instructive samples, and good for that purpose
| alone but may
| not be robust enough for use in a hostile environment.
|
| Hypothetical scenario:
| A scanner requiring remote input scans a targeted host, looking
| for replies.
| The targeted host replies with exceptional input causing the
| scanner to run
| arbitrary code (buffer overflow etc etc), probably with the privileges of
| the user running that scanner.
|
| Denial of service programs are probably less vulnerable since they usually
| don't require remote input (except maybe dns?). They usually accept input
| from the command-line which shouldn't become a problem in typical
| usage :).
|
| Note that I am not saying that the authors of such programs are writing
| poor quality code, far from it, but there is a danger that some users may
| be using them under inappropriate conditions for purposes they were not
| designed for. After all much of the code released is "for educational
| purposes only" ;).
|
| Have a nice weekend!
|
| Link.
|