Re: Cybercop scanner returning false positive? IPP overflow on IIS4

From: Max Vision (visionat_private)
Date: Fri May 25 2001 - 14:45:14 PDT

Next message: Marc Maiffret: "RE: Cybercop scanner returning false positive? IPP overflow on IIS4"

Previous message: Test Working: "Re: pen-testing cisco routers"
In reply to: Colin_Kushnierat_private: "Cybercop scanner returning false positive? IPP overflow on IIS4"
Reply: Marc Maiffret: "RE: Cybercop scanner returning false positive? IPP overflow on IIS4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This may be the same issue was raised by Paul Cardon <paulat_private> on
Bugtraq a few weeks ago.  He wasn't talking about Cybercop in particular,
but it is likely that they suffer from the same failed testing
methodology.

Cybercop sends a "host:" overflow of 420 "A" characters (someone there has
a sense of humor:) which is sufficiently long to trigger the overflow.
However it may be too long, causing the server to stop responding.  The
proposed solution is to send just slightly over the trigger threshold that
causes a patched server to not respond (>256 characters) yet not overflow
the buffer.  ipptest.pl sends 257 bytes. webexplt.pl sends 430 bytes.

Paul's summary was:
- If no response is returned the system has been patched.
- If a 500 error is returned the server is unpatched.
- If a 404 error is returned the .printer mapping has been removed.

So Cybercop's new module 10091 (in mod10000.dll) is probably using the
"no-response" method of testing and sending too long of a string.  I don't
want to publicly reverse engineer what they are doing (ahem) so I can only
offer my guess.

I do not know why the tests would come back differently in your two
environments though.

I have packet captures of the Cybercop test if anyone is interested.

Max Vision
http://whitehats.com/

On Fri, 25 May 2001 Colin_Kushnierat_private wrote:
> I have a question regarding the behavior of module 10091 (newly released in
> update 5.5-200106?) in Cybercop 5.5 on NT4.
>
> While scanning a group of IIS4.0 servers in one environment, this module, which
> checks for the IIS IPP ISAPI extension buffer overflow of Microsoft bulletin
> <http://www.microsoft.com/technet/security/bulletin/MS01-023.asp> returns
> positive. According to the bulletin and my understanding of the vulnerability,
> it affects IIS5.0 only.
> Scanning IIS4.0 servers in a different environment returns no results for this
> module, ie. false.
>
> I haven't yet contacted NAI, I was wondering if anyone has seen similar
> results...
>
> Thanks,
>
> Colin
>
>

Next message: Marc Maiffret: "RE: Cybercop scanner returning false positive? IPP overflow on IIS4"
Previous message: Test Working: "Re: pen-testing cisco routers"
In reply to: Colin_Kushnierat_private: "Cybercop scanner returning false positive? IPP overflow on IIS4"
Reply: Marc Maiffret: "RE: Cybercop scanner returning false positive? IPP overflow on IIS4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 27 2001 - 00:11:43 PDT