Re: Comments re: Vulnerability Testing

From: mroat_private
Date: Sat Feb 13 1999 - 09:00:31 PST

Next message: Marco S Hyman: "Re: PPP/ISDN multilink security issue - summary"

Previous message: Jon Ribbens: "Re: Fw: Fw: No Security is Bad Security"
Maybe in reply to: tqbf: "Comments re: Vulnerability Testing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As a Network Associates customer, I'd like to dispute Thomas Ptacek and Alfred Huger's claims about CyberCop Scanner. Obviously, they are the authors of CyberCop, but with some simple testing, it is clear that they are either wrong or misrepresenting their product.

Serious false negatives:

When I turned off all CC Scanner checks, except for the Email checks, it wouldn't find Anything vulnerable, even on servers that I knew had a major vulnerability in sendmail. After spending many hours, pulling my hair out trying to figure out why CC Scanner didn't find the vulnerabilities on servers that I knew were wide open, it turns out that you must turn on Information gathering checks, in order for CCS to actually find any Email vulnerabilities. I could not find this in any documentation and consider it a serious flaw. This assumption of requiring Info Gathering checks turned on is undocumented and could lead users to a very Wrong conclusions.

Serious False Positives:

Then, I sent up Netcat to send a sendmail banner on connection to port 25 (SMTP). Even tho Alfred claims no reliance on version checking, CyberCop got fooled on the Sendmail banners, and even CyberCop has in the GUI a check called "Sendmail Banner Check". Duh!

Then, whithout anything special, just by having the Netcat program connecting on port 25, every single Sendmail buffer overflow check in CyberCop was returning as a false Positive. Obviously, their claim to actually exploiting the vulnerability is false. CCS isn't exploiting the vulnerability, but just trying to send garbage and without any proof, making incorrect assumptions that it is vulnerable.

I did try to call NAI's support to report these problems, and after 2 hrs of waiting to get someone, I hung up. Hopefully this gets to the appropriate people at NAI to fix these problems.

Any ways, I hope this sheds some light on some additional issues with all scanners.

---------------------------------------------------
Get free personalized email at http://www.iname.com

Next message: Marco S Hyman: "Re: PPP/ISDN multilink security issue - summary"
Previous message: Jon Ribbens: "Re: Fw: Fw: No Security is Bad Security"
Maybe in reply to: tqbf: "Comments re: Vulnerability Testing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:31 PDT