26th Sep 2002 [SBWID-5298]
COMMAND
Foundstone Fscan banner remote format string overflow
SYSTEMS AFFECTED
Foundstone Fscan 1.12 for Windows
PROBLEM
In Peter Gründl [[email protected]] KPMG Danemark advisory [ID 2002014] :
If banner grabbing is turned on, Fscan will print the banner string
directly instead of using format specifiers (%s). This will cause any
%'s in the banner to be interpreted as format specifiers.
This issue is probably best clarified using a worst case scenario:
- Attacker has taken over a host on a network.
- Attacker has set up a service on "his" host that returns a
malformed banner.
- Admin uses Fscan to sweep his network on a regular basis.
- Admin scans Attacker's PC with banner grabbing on to check for
abnormal services.
- When Admin scans the malicious service, his Fscan is "attacked"
- Attacker has now overwritten the stack and the EIP on Admin's
own PC in the security context Admin was using when he was
scanning.
SOLUTION
Get version 1.14 online:
http://www.foundstone.com/knowledge/proddesc/fscan.html