[9647] in bugtraq
Re: ISS Internet Scanner Brute Force Bug
daemon@ATHENA.MIT.EDU (David LeBlanc)
Thu Feb 18 19:28:00 1999
Date: Thu, 18 Feb 1999 17:26:49 -0500
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: alexander tampermeier <alex_tampermeier@hotmail.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990218075411.673.qmail@hotmail.com>
At 11:54 PM 2/17/99 PST, alexander tampermeier wrote:
>The Internet Scanner lets you brute force by using username/password
>pairs specified in the file default.login. I specified a known
>username/password pair but the scanner could not login.
>The reason is that the Internet Scanner needs a carriage return after
>the last username/password pair. If it finds just an EOF marker then the
>password gets modified by adding an additional character.
>For example the password test is modified to testo.
I believe I fixed this several revisions ago. Although this may be
_BUG_TRAQ, the best place to report bugs in the scanner is to
support@iss.net. I'd suggest that you use vi, notepad, or some reasonable
text editor in the meantime. Just what text editor are you using?
In fact, I know I fixed this quite a while back, because I remember clearly
having to use VC++'s editor in binary mode to be able to produce a file
which would cause this problem. If you're running a recent version of the
scanner, please report which version to support@iss.net, and I'm sure we'll
get it fixed.
David LeBlanc
dleblanc@mindspring.com
