'[VulnDiscuss] FW: [Customerconnect] Important Information re: Internet Scanner'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vulndiscuss
Subject:    [VulnDiscuss] FW: [Customerconnect] Important Information re: Internet Scanner
From:       hellNbak <hellnbak () nmrc ! org>
Date:       2002-09-18 17:12:59
[Download RAW message or body]

Credit for this find belongs with Foundstone. Typical of ISS to release
their own advisory not giving proper credit.  heh, even on their own
products.

I also think that they downplay this a little.  I am sure no one here has
not seen "ISSCRACK" or "ISSKEYGEN" so its safe to say that ISS Scanner can
easily be used by the kiddies to scan boxes - I have IDS logs to prove
that it happens to at least one person.  :-)

>From the Foundstone advisory
http://www.foundstone.com/knowledge/advisories-display.html?id=336

it appears that you simply need to craft some funky asses long HTTP
responses.  Does anyone have additional information on this one?  It would
be nice to incorporate this into web boxes and essentially defend against
ISS Scanner being used.


-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

---------- Forwarded message ----------
Subject: FW: [Customerconnect] Important Information re: Internet Scanner
    6.2.1



	-----Original Message-----
	From: ISS Customer Relations [mailto:bpq@iss.net]
	Sent: Wed 9/18/2002 9:47 AM
	To: customerconnect@iss.net
	Cc:
	Subject: [Customerconnect] Important Information re: Internet Scanner 6.2.1



	September 18, 2002

	Dear ISS Customer,

	Internet Security Systems (ISS) has become aware of an issue with Internet
	Security Systems' Internet Scanner 6.2.1 that may potentially allow the
	scanning application to be crashed by a malicious web server. ISS has
	developed a fix for this issue, and it is available now.

	It is possible for an attacker to cause Internet Scanner to crash by
	setting up a malicious web server. When Internet Scanner scans the
	malicious web server, the script will cause a buffer overflow that crashes
	the scanning application. It may also be possible for attackers to
	formulate a specific response to execute arbitrary code on the Scanner
	host. However, this has not been demonstrated in the ISS labs or in the wild.

	ISS considers this issue low risk since (1) it requires a malicious web
	server to be set up, and (2) potential attackers are limited to trusted
	systems on your network scanned by Internet Scanner. Intruders outside of
	the scanned systems cannot exploit this issue.

	This flaw affects Internet Scanner version 6.2.1 for Windows NT 4
	Professional SP 6a and Windows 2000 Professional SP 2.

	Internet Security Systems has developed a fix for this bug, which is
	included in the X-Press Update (XPU) 6.17. The XPU is available now at
	http://www.iss.net/download, or it can be downloaded and installed using
	the Internet Scanner X-Press Update Installer. The XPU also includes a
	check (MalformedHttpStatusResponse) to assist you in identifying systems
	that are mis-configured and could exploit the flaw.

	More detailed information about the issue is provided below. If you have
	any questions about this issue or need help applying the X-Press Update,
	please contact your ISS technical support by calling 888-447-4861 or
	404-236-2700. We can also be reached by e-mail at support@iss.net.

	Thank you and best regards,

	Sally Foster
	VP, Customer Support

	*****************
	SUMMARY

	Internet Scanner contains a flaw that may lead to incorrect parsing of Web
	server response messages. If a Web server is specifically configured to
	provide a non-standard response to a Web request, this response may be
	mis-handled. If Internet Scanner receives such a response it, it may crash.
	It may also be possible for attackers to formulate a specific response to
	execute arbitrary code on the Scanner host.

	Mitigating Factors: For successful exploitation of this flaw to take place,
	an attacker must configure a Web server to deliver non-standard responses
	to normal HTTP requests. This Web server must be a system that is within
	the IP-range specified in the license key for Internet Scanner. Internet
	Scanner must then assess the host with the non-standard configuration for
	the exploit to be successful. In the event of a crash, results from hosts
	scanned by Internet Scanner before the crash are still saved to the
	Internet Scanner database.


	_______________________________________________
	Customerconnect mailing list
	Customerconnect@iss.net



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic