Re: Remote exploitation of network scanners?

[Adam Prato <sirsyko () MERGIOO ISHIBOO COM>]

On Fri, Aug 25, 2000 at 03:56:30PM +0800, Lincoln Yeoh wrote:
> Hi people!
>
> I wonder if the many popular scanners out there are written securely - so
> that they themselves cannot be exploited.
>
> It seems to me that many of these programs are written as a "proof of
> concept" or as instructive samples, and good for that purpose alone but may
> not be robust enough for use in a hostile environment.
>
> Hypothetical scenario:
> A scanner requiring remote input scans a targeted host, looking for replies.
> The targeted host replies with exceptional input causing the scanner to run
> arbitrary code (buffer overflow etc etc), probably with the privileges of
> the user running that scanner.
>
> Denial of service programs are probably less vulnerable since they usually
> don't require remote input (except maybe dns?). They usually accept input
> from the command-line which shouldn't become a problem in typical usage :).
>
> Note that I am not saying that the authors of such programs are writing
> poor quality code, far from it, but there is a danger that some users may
> be using them under inappropriate conditions for purposes they were not
> designed for. After all much of the code released is "for educational
> purposes only" ;).
>
> Have a nice weekend!
>
> Link.

I believe both the l0pht, nmap, and bass that was supposedly
built to do some massive whole-internet-biopsy type of scan for vulnerabilities
have all had some sort of remote attack.

www.securityfocus.com has information regaurding AntiSniff. I'm not sure
about nmap and hte internet auditing project (if they did have problems
I'm sure they have long since been fixed), those could have just been
people blowing smoke and just saying they found something when they didnt.

But the bottom line is yes, many exploits themselves are exploitable.

<ss>