[9411] in bugtraq
Re: ISS Internet Scanner Cannot be relied upon for conclusive
daemon@ATHENA.MIT.EDU (Chris Brenton)
Mon Feb 8 13:03:37 1999
Date: Mon, 8 Feb 1999 09:46:10 -0500
Reply-To: cbrenton@sover.net
From: Chris Brenton <cbrenton@SOVER.NET>
X-To: "Mr. joej" <mr_joej@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
"Mr. joej" wrote:
>
> After some testing this is what was found. Internet Scanner only
> tests for this bug if it can either gain access to a shell (by
> guessing the telnet password), or by getting snmp access to get
> the IOS version information. Based upon this, Internet Scanner
> determines whether or not the router is vulnerable. This is WRONG.
Actually, this type of activity is a pretty common problem and is done
in the interest of speed. For example take the following situation:
Joe Admin installs SP4 on his NT 4.0 server
Joe Admin removes and installs TCP/IP from CD
Joe Admin runs a security check
As we all know the above system is vulnerable. This is because the
original executables and DLL's have been loaded from the original CD.
Many security audit tools that I've tested would in fact say that the
system is safe because SP4 has been installed. This is because instead
of checking file dates, they are looking for registry keys which
identify what patches have been loaded on the system.
I personally can not say if ISS's scanners fall into the same boat, but
from my testing I know many do.
Cheers,
Chris
--
**************************************
cbrenton@sover.net
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
