|
--------------------------------------------------------------------
Title: Foundstone Fscan Format String Bug
BUG-ID: 2002014
Released: 19th Apr 2002
--------------------------------------------------------------------
Problem:
========
A flaw in Foundstone Fscan could result in a malicious service
banner overwriting the stack and the EIP on the PC performing the
scanning.
Vulnerable:
===========
- Foundstone Fscan 1.12 for Windows
Details:
========
If banner grabbing is turned on, Fscan will print the banner string
directly instead of using format specifiers (%s). This will cause
any %'s in the banner to be interpreted as format specifiers.
This issue is probably best clarified using a worst case scenario:
- Attacker has taken over a host on a network.
- Attacker has set up a service on "his" host that returns a
malformed banner.
- Admin uses Fscan to sweep his network on a regular basis.
- Admin scans Attacker's PC with banner grabbing on to check for
abnormal services.
- When Admin scans the malicious service, his Fscan is "attacked"
- Attacker has now overwritten the stack and the EIP on Admin's
own PC in the security context Admin was using when he was
scanning.
More Information:
=================
Guardent has published a small whitepaper on Format String Attacks:
http://www.guardent.com/docs/FormatString.PDF
Vendor URL:
===========
You can visit the vendors webpage here: http://www.foundstone.com
Vendor response:
================
The vendor was contacted on the 14th of April, 2002. The vendor
identified the problem as a format string bug. On the 17th of April,
2002 I received a new version of Fscan that solved the issue. On the
18th of April, 2002 the vendor put that version online for download.
Corrective action:
==================
The vendor has corrected the issue and put version 1.14 online:
http://www.foundstone.com/knowledge/proddesc/fscan.html
Author: Peter Gründl (pgrundl@kpmg.dk)
--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------
|
