KPMG-2002014: Foundstone Fscan Format String Bug

From: Peter Gründl (pgrundlat_private)
Date: Fri Apr 19 2002 - 02:16:08 PDT

Next message: Peter Gründl: "KPMG-2002015: Microsoft Distributed Transaction Coordinator DoS"

Previous message: Fredrik Widlund: "Re: Howto exploit a remote format bug automatically"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------------------------------------------------------------------

Title: Foundstone Fscan Format String Bug

BUG-ID: 2002014
Released: 19th Apr 2002
--------------------------------------------------------------------

Problem:
========
A flaw in Foundstone Fscan could result in a malicious service
banner overwriting the stack and the EIP on the PC performing the
scanning.


Vulnerable:
===========
- Foundstone Fscan 1.12 for Windows


Details:
========
If banner grabbing is turned on, Fscan will print the banner string
directly instead of using format specifiers (%s). This will cause
any %'s in the banner to be interpreted as format specifiers.

This issue is probably best clarified using a worst case scenario:

- Attacker has taken over a host on a network.
- Attacker has set up a service on "his" host that returns a
  malformed banner.
- Admin uses Fscan to sweep his network on a regular basis.
- Admin scans Attacker's PC with banner grabbing on to check for
  abnormal services.
- When Admin scans the malicious service, his Fscan is "attacked"
- Attacker has now overwritten the stack and the EIP on Admin's
  own PC in the security context Admin was using when he was
  scanning.


More Information:
=================
Guardent has published a small whitepaper on Format String Attacks:
http://www.guardent.com/docs/FormatString.PDF


Vendor URL:
===========
You can visit the vendors webpage here: http://www.foundstone.com


Vendor response:
================
The vendor was contacted on the 14th of April, 2002. The vendor
identified the problem as a format string bug. On the 17th of April,
2002 I received a new version of Fscan that solved the issue. On the
18th of April, 2002 the vendor put that version online for download.


Corrective action:
==================
The vendor has corrected the issue and put version 1.14 online:
http://www.foundstone.com/knowledge/proddesc/fscan.html


Author: Peter Gründl (pgrundlat_private)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Next message: Peter Gründl: "KPMG-2002015: Microsoft Distributed Transaction Coordinator DoS"
Previous message: Fredrik Widlund: "Re: Howto exploit a remote format bug automatically"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 12:29:38 PDT