[<prev] [next>] [day] [month] [year] [list]
Message-ID: <NMRC.666.6.66.0209181304380.2250-100000@www.nmrc.org>
From: hellnbak at nmrc.org (hellNbak)
Subject: FW: [Customerconnect] Important Information re: Internet Scanner
6.2.1 (fwd)
Credit for this find belongs with Foundstone. Typical of ISS to release
their own advisory not giving proper credit. heh, even on their own
products.
I also think that they downplay this a little. I am sure no one here has
not seen "ISSCRACK" or "ISSKEYGEN" so its safe to say that ISS Scanner can
easily be used by the kiddies to scan boxes - I have IDS logs to prove
that it happens to at least one person. :-)
>From the Foundstone advisory
http://www.foundstone.com/knowledge/advisories-display.html?id=336
it appears that you simply need to craft some funky asses long HTTP
responses. Does anyone have additional information on this one? It would
be nice to incorporate this into web boxes and essentially defend against
ISS Scanner being used.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I don't intend to offend, I offend with my intent"
hellNbak@...c.org
http://www.nmrc.org/~hellnbak
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
---------- Forwarded message ----------
Subject: FW: [Customerconnect] Important Information re: Internet Scanner
6.2.1
-----Original Message-----
From: ISS Customer Relations [mailto:bpq@....net]
Sent: Wed 9/18/2002 9:47 AM
To: customerconnect@....net
Cc:
Subject: [Customerconnect] Important Information re: Internet Scanner 6.2.1
September 18, 2002
Dear ISS Customer,
Internet Security Systems (ISS) has become aware of an issue with Internet
Security Systems' Internet Scanner 6.2.1 that may potentially allow the
scanning application to be crashed by a malicious web server. ISS has
developed a fix for this issue, and it is available now.
It is possible for an attacker to cause Internet Scanner to crash by
setting up a malicious web server. When Internet Scanner scans the
malicious web server, the script will cause a buffer overflow that crashes
the scanning application. It may also be possible for attackers to
formulate a specific response to execute arbitrary code on the Scanner
host. However, this has not been demonstrated in the ISS labs or in the wild.
ISS considers this issue low risk since (1) it requires a malicious web
server to be set up, and (2) potential attackers are limited to trusted
systems on your network scanned by Internet Scanner. Intruders outside of
the scanned systems cannot exploit this issue.
This flaw affects Internet Scanner version 6.2.1 for Windows NT 4
Professional SP 6a and Windows 2000 Professional SP 2.
Internet Security Systems has developed a fix for this bug, which is
included in the X-Press Update (XPU) 6.17. The XPU is available now at
http://www.iss.net/download, or it can be downloaded and installed using
the Internet Scanner X-Press Update Installer. The XPU also includes a
check (MalformedHttpStatusResponse) to assist you in identifying systems
that are mis-configured and could exploit the flaw.
More detailed information about the issue is provided below. If you have
any questions about this issue or need help applying the X-Press Update,
please contact your ISS technical support by calling 888-447-4861 or
404-236-2700. We can also be reached by e-mail at support@....net.
Thank you and best regards,
Sally Foster
VP, Customer Support
*****************
SUMMARY
Internet Scanner contains a flaw that may lead to incorrect parsing of Web
server response messages. If a Web server is specifically configured to
provide a non-standard response to a Web request, this response may be
mis-handled. If Internet Scanner receives such a response it, it may crash.
It may also be possible for attackers to formulate a specific response to
execute arbitrary code on the Scanner host.
Mitigating Factors: For successful exploitation of this flaw to take place,
an attacker must configure a Web server to deliver non-standard responses
to normal HTTP requests. This Web server must be a system that is within
the IP-range specified in the license key for Internet Scanner. Internet
Scanner must then assess the host with the non-standard configuration for
the exploit to be successful. In the event of a crash, results from hosts
scanned by Internet Scanner before the crash are still saved to the
Internet Scanner database.
_______________________________________________
Customerconnect mailing list
Customerconnect@....net
Powered by blists - more mailing lists