[9480] in bugtraq
Re: ISS Internet Scanner Cannot be relied upon for conclusive
daemon@ATHENA.MIT.EDU (der Mouse)
Thu Feb 11 15:34:09 1999
Date: Wed, 10 Feb 1999 10:47:40 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
>> Surely this is a bit of a no-brainer - why not just try the exploit
>> and see if it works? That's certainly what an attacker will do.
> Let me hit you with another suggestion: if you know something about a
> box which suggests that an attack won't work, why try it ?
Because the suggestion can be wrong.
> For example, if I do a port scan and cannot connect to the smtp port
> and later amongst the list of things to check are various sendmail
> bugs, should I still try them ?
If you have some other access to sendmail, yes. If not, then it's not
just a "suggest[ion]" that the attack won't work; it's *certain* that
the attack won't work. If you have prior information that tells you it
*can't possibly* work, don't bother. If your prior information merely
says it *probably won't* work, it's still worth trying.
At least for a heavy scan.
> The expectation is that if a service is meant to be available, that
> it will at any time of a scan. If a service is not available then
> more than likely there is no point making further advanced checks.
Right. But the ioslogon bug does not depend on SNMP being available,
so SNMP being unavailable should not be taken as an indication that the
attack won't succeed.
Now this particular bug is an interesting case, because (I gather) it
is not possible to exploit it without doing damage. Some attacks (for
example, those which just get you a root shell) can be tried without
doing damage; with such attacks, there is no reason ISS (or moral
equivalent) shouldn't just try them. In cases like this, it should be
done only when specifically configured to do so, and when not so
configured, it shouldn't make any claim either way. (Here, if it can
coax a software version number out of the box, it would be reasonable
for it to spit out a "appears probably vulnerable" or "appears probably
not vulnerable" indication, or "can't tell" if it can't. This is not
the same thing as a definite vulnerable/not.)
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
