[9437] in bugtraq
Re: ISS Internet Scanner Cannot be relied upon for conclusive
daemon@ATHENA.MIT.EDU (der Mouse)
Tue Feb 9 16:39:56 1999
Date: Tue, 9 Feb 1999 10:06:16 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
>> [...] the old ioslogon bug [...ISS didn't find it...]
> [...response from someone who writes as if on behalf of ISS's makers;
> I can't recall whether mindspring.com is the ISS people or not...]
If ISS claims to check for the ioslogon bug, but actually checks (by
whatever means) for software versions known to have that bug, the claim
is a lie. If you claim to check for the ioslogon bug, then that's what
you should do: try to exploit it and see if it works. Who knows, maybe
there's another vulnerable version out there, or perhaps some
supposedly vulnerable versions don't happen to be vulnerable after all.
I can't remember offhand what this bug does. If it's a "hang your
router" sort of thing, you may want to have *two* tests, potentially
independently controllable, "check for ioslogon bug (dangerous, may
crash your router)" and "check for software versions known to have
ioslogon bug (safe, requires SNMP)". But claiming to check for the bug
when actually just checking the software version (via a means which can
be disabled without closing the bug, no less) is like a spamfighter
saying "your SMTP daemon claims to be an old Sun sendmail, therefore
you're an open relay": it's checking for the wrong thing
> OK, so maybe you can explain just exactly how we're supposed to find
> out whether it is vulnerable if it won't talk to us?
Surely this is a bit of a no-brainer - why not just try the exploit and
see if it works? That's certainly what an attacker will do.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
