Bugtraq mailing list archives
ISS Internet Scanner Cannot be relied upon for conclusive Audits
From: mr_joej () HOTMAIL COM (Mr. joej)
Date: Sun, 7 Feb 1999 18:28:55 PST
Before I even start I want to point out that I am NOT product bashing! ISS's products provide the average administrator a good way to audit his/her own network. But there have been numerous companies pop up using only ISS products to provide security audits and security expertise. This is inadequate. Granted if someone doesn't use Internet Scanner for at least part of an audit, they better be real good ....err REAL good. ISS Internet scanner for example: Granted ISS never claims to test for all known vulnerabilities. This is no surprise, new holes are out everyday. But my problem is that of the vulnerabilities that Internet Scanner says that it is testing, I have found a few that it DOESN'T even though it says it is. Example 'Router Checks' I wanted to scan my network to see if I had any routers that were vulnerable to the old ioslogon bug. After a quick scan, I found none. I knew this wasn't right, there was one somewhere I hadn't upgraded yet. After testing by hand I found it. I talked to ISS about this for a while, after sending logs and talking to the engineers their reply was 'well snmp is disabled ....' The rest of their reply was something about how this vulnerability was related to snmp therefor Internet Scanner couldn't scan for it. This is WRONG. After some testing this is what was found. Internet Scanner only tests for this bug if it can either gain access to a shell (by guessing the telnet password), or by getting snmp access to get the IOS version information. Based upon this, Internet Scanner determines whether or not the router is vulnerable. This is WRONG. This same holds true to all router checks except ascend udp kill. My follow up question, How many other vulnerabilities does Internet Scanner say it will scan, but really doesn't? ISS: Either be very very clear that you are not 'really' scanning for these vulnerabilities, or just scan for them. Sorry for the long message, but I wanted to be clear, and its late .... JoeJ Mr_JoeJ () hotmail com ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: Cyrix bug: freeze in hell, badboy John Byrne (Feb 05)
- Re: Cyrix bug: freeze in hell, badboy Phillip R. Jaenke (Feb 05)
- HP-UX 11.0/800 patches leave suid binaries Lamont Granquist (Feb 05)
- Re: HP-UX 11.0/800 patches leave suid binaries Olle Segerdahl,D (Feb 08)
- Re: Cyrix bug: freeze in hell, badboy Ragnar Hojland Espinosa (Feb 06)
- remote exploit on pine 4.10 - neverending story? Michal Zalewski (Feb 07)
- Re: remote exploit on pine 4.10 - neverending story? Thomas Roessler (Feb 08)
- Re: remote exploit on pine 4.10 - neverending story? John D. Hardin (Feb 08)
- Possible Security Problem: Fake PGP Key Ben Laurie (Feb 08)
- ISS Internet Scanner Cannot be relied upon for conclusive Audits Mr. joej (Feb 07)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive blkadder () VALUE NET (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive BVE (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Jim Trocki (Feb 11)
- How scanners actually work David LeBlanc (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 08)
- Sendmail 8.9.3 Patrick Oonk (Feb 09)
- <Possible follow-ups>
- Re: Cyrix bug: freeze in hell, badboy rho (Feb 05)