Retina 3.5 beta is smart enough to test for the IPP overflow by using a certain buffer size which returns differently on patched/unpatched systems so we can therefore tell remotely if a system is vulnerable or not without having to crash the service. I forget the exact buffer size we send but I am sure someone can sniff retina and figure it out. If anyone has problems with Retina 3.5 detecting the IPP overflow correctly then send me an email personally and we will make sure to work to fix it ASAP! Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Web Application Firewall | -----Original Message----- | From: Max Vision [mailto:visionat_private] | Sent: Friday, May 25, 2001 2:45 PM | To: PEN-TESTat_private; Colin_Kushnierat_private | Subject: Re: Cybercop scanner returning false positive? IPP overflow on | IIS4 | | | Hi, | | This may be the same issue was raised by Paul Cardon <paulat_private> on | Bugtraq a few weeks ago. He wasn't talking about Cybercop in particular, | but it is likely that they suffer from the same failed testing | methodology. | | Cybercop sends a "host:" overflow of 420 "A" characters (someone there has | a sense of humor:) which is sufficiently long to trigger the overflow. | However it may be too long, causing the server to stop responding. The | proposed solution is to send just slightly over the trigger threshold that | causes a patched server to not respond (>256 characters) yet not overflow | the buffer. ipptest.pl sends 257 bytes. webexplt.pl sends 430 bytes. | | Paul's summary was: | - If no response is returned the system has been patched. | - If a 500 error is returned the server is unpatched. | - If a 404 error is returned the .printer mapping has been removed. | | So Cybercop's new module 10091 (in mod10000.dll) is probably using the | "no-response" method of testing and sending too long of a string. I don't | want to publicly reverse engineer what they are doing (ahem) so I can only | offer my guess. | | I do not know why the tests would come back differently in your two | environments though. | | I have packet captures of the Cybercop test if anyone is interested. | | Max Vision | http://whitehats.com/ | | On Fri, 25 May 2001 Colin_Kushnierat_private wrote: | > I have a question regarding the behavior of module 10091 (newly | released in | > update 5.5-200106?) in Cybercop 5.5 on NT4. | > | > While scanning a group of IIS4.0 servers in one environment, | this module, which | > checks for the IIS IPP ISAPI extension buffer overflow of | Microsoft bulletin | > <http://www.microsoft.com/technet/security/bulletin/MS01-023.asp> returns > positive. According to the bulletin and my understanding of the vulnerability, > it affects IIS5.0 only. > Scanning IIS4.0 servers in a different environment returns no results for this > module, ie. false. > > I haven't yet contacted NAI, I was wondering if anyone has seen similar > results... > > Thanks, > > Colin > >
This archive was generated by hypermail 2b30 : Sun May 27 2001 - 09:08:34 PDT