lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <NMRC.666.6.66.0209181304380.2250-100000@www.nmrc.org>
From: hellnbak at nmrc.org (hellNbak)
Subject: FW: [Customerconnect] Important Information re: Internet Scanner
 6.2.1 (fwd)

Credit for this find belongs with Foundstone. Typical of ISS to release
their own advisory not giving proper credit.  heh, even on their own
products.

I also think that they downplay this a little.  I am sure no one here has
not seen "ISSCRACK" or "ISSKEYGEN" so its safe to say that ISS Scanner can
easily be used by the kiddies to scan boxes - I have IDS logs to prove
that it happens to at least one person.  :-)

>From the Foundstone advisory
http://www.foundstone.com/knowledge/advisories-display.html?id=336

it appears that you simply need to craft some funky asses long HTTP
responses.  Does anyone have additional information on this one?  It would
be nice to incorporate this into web boxes and essentially defend against
ISS Scanner being used.


-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

---------- Forwarded message ----------
Subject: FW: [Customerconnect] Important Information re: Internet Scanner
    6.2.1



	-----Original Message-----
	From: ISS Customer Relations [mailto:bpq@....net]
	Sent: Wed 9/18/2002 9:47 AM
	To: customerconnect@....net
	Cc:
	Subject: [Customerconnect] Important Information re: Internet Scanner 6.2.1



	September 18, 2002

	Dear ISS Customer,

	Internet Security Systems (ISS) has become aware of an issue with Internet
	Security Systems' Internet Scanner 6.2.1 that may potentially allow the
	scanning application to be crashed by a malicious web server. ISS has
	developed a fix for this issue, and it is available now.

	It is possible for an attacker to cause Internet Scanner to crash by
	setting up a malicious web server. When Internet Scanner scans the
	malicious web server, the script will cause a buffer overflow that crashes
	the scanning application. It may also be possible for attackers to
	formulate a specific response to execute arbitrary code on the Scanner
	host. However, this has not been demonstrated in the ISS labs or in the wild.

	ISS considers this issue low risk since (1) it requires a malicious web
	server to be set up, and (2) potential attackers are limited to trusted
	systems on your network scanned by Internet Scanner. Intruders outside of
	the scanned systems cannot exploit this issue.

	This flaw affects Internet Scanner version 6.2.1 for Windows NT 4
	Professional SP 6a and Windows 2000 Professional SP 2.

	Internet Security Systems has developed a fix for this bug, which is
	included in the X-Press Update (XPU) 6.17. The XPU is available now at
	http://www.iss.net/download, or it can be downloaded and installed using
	the Internet Scanner X-Press Update Installer. The XPU also includes a
	check (MalformedHttpStatusResponse) to assist you in identifying systems
	that are mis-configured and could exploit the flaw.

	More detailed information about the issue is provided below. If you have
	any questions about this issue or need help applying the X-Press Update,
	please contact your ISS technical support by calling 888-447-4861 or
	404-236-2700. We can also be reached by e-mail at support@....net.

	Thank you and best regards,

	Sally Foster
	VP, Customer Support

	*****************
	SUMMARY

	Internet Scanner contains a flaw that may lead to incorrect parsing of Web
	server response messages. If a Web server is specifically configured to
	provide a non-standard response to a Web request, this response may be
	mis-handled. If Internet Scanner receives such a response it, it may crash.
	It may also be possible for attackers to formulate a specific response to
	execute arbitrary code on the Scanner host.

	Mitigating Factors: For successful exploitation of this flaw to take place,
	an attacker must configure a Web server to deliver non-standard responses
	to normal HTTP requests. This Web server must be a system that is within
	the IP-range specified in the license key for Internet Scanner. Internet
	Scanner must then assess the host with the non-standard configuration for
	the exploit to be successful. In the event of a crash, results from hosts
	scanned by Internet Scanner before the crash are still saved to the
	Internet Scanner database.


	_______________________________________________
	Customerconnect mailing list
	Customerconnect@....net



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ