Foundstone Research Labs Advisory - 091802-ISSC

Advisory Name: Remotely Exploitable Buffer Overflow in ISS Scanner
 Release Date: September 18, 2002
  Application: ISS Scanner 6.2.1
    Platforms: Windows NT/2000/XP
     Severity: Remote code execution
      Vendors: Internet Security Systems (http://www.iss.net)
      Authors: Tony Bettini (tony.bettini@foundstone.com)
CVE Candidate: CAN-2002-1122
    Reference: http://www.foundstone.com/advisories

Overview:

The license banner HTTP check performed by ISS Scanner does not check
the
length of the data returned by the web server being tested. As a result,
a malicious host could be configured to return a long HTTP response that
causes code execution on the ISS Scanner host.

Detailed Description:

A malicious web server could be setup to return a long HTTP result code,
such that when the ISS Scanner attempts to perform a license
advertisement via an HTTP banner check, a reply is returned that
executes arbitrary code on the ISS Scanner host.

Vendor Response:

ISS has issued a fix for this vulnerability. It is included within
X-Press Update 6.17.

Solution:

We recommend applying the vendor patch.

Disclaimer:

The information contained in this advisory is copyright (c) 2002
Foundstone, Inc. and is believed to be accurate at the time of
publishing, but no representation of any warranty is given,
express, or implied as to its accuracy or completeness. In no
event shall the author or Foundstone be liable for any direct,
indirect, incidental, special, exemplary or consequential
damages resulting from the use or misuse of this information.
This advisory may be redistributed, provided that no fee is
assigned and that the advisory is not modified in any way.