[25171] in bugtraq
KPMG-2002014: Foundstone Fscan Format String Bug
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Peter_Gr=FCndl?=)
Fri Apr 19 15:42:37 2002
Message-ID: <000701c1e782$d98c4d60$1f00a8c0@KPMGIRMPGRUNDL>
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <pgrundl@kpmg.dk>
To: "bugtraq" <bugtraq@securityfocus.com>
Date: Fri, 19 Apr 2002 11:16:08 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
--------------------------------------------------------------------
Title: Foundstone Fscan Format String Bug
BUG-ID: 2002014
Released: 19th Apr 2002
--------------------------------------------------------------------
Problem:
========
A flaw in Foundstone Fscan could result in a malicious service
banner overwriting the stack and the EIP on the PC performing the
scanning.
Vulnerable:
===========
- Foundstone Fscan 1.12 for Windows
Details:
========
If banner grabbing is turned on, Fscan will print the banner string
directly instead of using format specifiers (%s). This will cause
any %'s in the banner to be interpreted as format specifiers.
This issue is probably best clarified using a worst case scenario:
- Attacker has taken over a host on a network.
- Attacker has set up a service on "his" host that returns a
malformed banner.
- Admin uses Fscan to sweep his network on a regular basis.
- Admin scans Attacker's PC with banner grabbing on to check for
abnormal services.
- When Admin scans the malicious service, his Fscan is "attacked"
- Attacker has now overwritten the stack and the EIP on Admin's
own PC in the security context Admin was using when he was
scanning.
More Information:
=================
Guardent has published a small whitepaper on Format String Attacks:
http://www.guardent.com/docs/FormatString.PDF
Vendor URL:
===========
You can visit the vendors webpage here: http://www.foundstone.com
Vendor response:
================
The vendor was contacted on the 14th of April, 2002. The vendor
identified the problem as a format string bug. On the 17th of April,
2002 I received a new version of Fscan that solved the issue. On the
18th of April, 2002 the vendor put that version online for download.
Corrective action:
==================
The vendor has corrected the issue and put version 1.14 online:
http://www.foundstone.com/knowledge/proddesc/fscan.html
Author: Peter Gründl (pgrundl@kpmg.dk)
--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------
