ISS Internet Scanner Brute Force Bug

alexander tampermeier (alex_tampermeier@HOTMAIL.COM)
Wed, 17 Feb 1999 23:54:11 PST 

The Internet Scanner lets you brute force by using username/password
pairs specified in the file default.login. I specified a known
username/password pair but the scanner could not login.
The reason is that the Internet Scanner needs a carriage return after
the last username/password pair. If it finds just an EOF marker then the
password gets modified by adding an additional character.
For example the password test is modified to testo.

Alexander

alex_tampermeier@hotmail.com

--------------------------------------------------------------------------

Re: ISS Internet Scanner Brute Force Bug

David LeBlanc (dleblanc@MINDSPRING.COM)
Thu, 18 Feb 1999 17:26:49 -0500 

At 11:54 PM 2/17/99 PST, alexander tampermeier wrote:
>The Internet Scanner lets you brute force by using username/password
>pairs specified in the file default.login. I specified a known
>username/password pair but the scanner could not login.
>The reason is that the Internet Scanner needs a carriage return after
>the last username/password pair. If it finds just an EOF marker then the
>password gets modified by adding an additional character.
>For example the password test is modified to testo.

I believe I fixed this several revisions ago.  Although this may be
_BUG_TRAQ, the best place to report bugs in the scanner is to
support@iss.net.  I'd suggest that you use vi, notepad, or some reasonable
text editor in the meantime.  Just what text editor are you using?

In fact, I know I fixed this quite a while back, because I remember clearly
having to use VC++'s editor in binary mode to be able to produce a file
which would cause this problem.  If you're running a recent version of the
scanner, please report which version to support@iss.net, and I'm sure we'll
get it fixed.


David LeBlanc
dleblanc@mindspring.com

--------------------------------------------------------------------------

Re: ISS Internet Scanner Brute Force Bug

David LeBlanc (dleblanc@MINDSPRING.COM)
Fri, 19 Feb 1999 09:52:20 -0500 

At 10:18 AM 2/19/99 -0000, Stephen Bishop wrote:
>David,

>> I'd suggest that you use vi, notepad, or some reasonable
>> text editor in the meantime.  Just what text editor are you using?

>At the risk of getting off the subject, I've come across many situations
where
>having the last line in a file without a line terminator has caused problems,
>so I think software should always be written to handle this situation. And
>even Emacs (which, otherwise, solves all life's problems) allows me to create
>a file with no line terminator at the end.

I agree.  I thought the same thing when I fixed this a long time ago.  I
looked at the code last night, and it looks like it is handling this
situation just fine.  Since the bug does appear to be in recent builds
(somehow), the work-around would be to place either a blank line or a
comment (start the line with #) as the last line.  Or simply hit the enter
key at the end of each line.

My version of vi does not allow this, hmmm - checking a few others...

Here's what I've found:
Terminates all lines:
vi (Congruent GNU port from ftp.cc.utexas - actually elvis)
Word
Wordpad
edit
edlin (and adds a ^Z)

Does NOT terminate:
notepad
copy con [file]
VC++ text editor

<joke> Moral of story - always use vi, and life is good 8-)

BTW, as a pre-emptive strike against this one, there _is_ a bug in the NT
scanner where we're not handling LF-delimited files properly.  If you
happen to have created your user-password pairs under UNIX, run tr on the
file before using it in the scanner.  Alternately, open it in Word and save
it back out. Notepad will NOT help - it doesn't deal with LF-delimited
files correctly either.  NT's version of perl also makes this easy -
running the following script does it:

while(<>){print;}


David LeBlanc
dleblanc@mindspring.com