exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

fscan.txt

fscan.txt
Posted Apr 25, 2002
Authored by Peter Grundl

A format string bug in Foundstone Fscan v1.12 for Windows can result in a malicious service banner overwriting the stack and the EIP on the PC performing the scanning, if banner grabbing is enabled. Fix available here.

systems | windows
SHA-256 | 48240b9faf31846718310f57a76c6e7c7d0a140705f914f460b711509490f1c7

fscan.txt

Change Mirror Download
--------------------------------------------------------------------

Title: Foundstone Fscan Format String Bug

BUG-ID: 2002014
Released: 19th Apr 2002
--------------------------------------------------------------------

Problem:
========
A flaw in Foundstone Fscan could result in a malicious service
banner overwriting the stack and the EIP on the PC performing the
scanning.


Vulnerable:
===========
- Foundstone Fscan 1.12 for Windows


Details:
========
If banner grabbing is turned on, Fscan will print the banner string
directly instead of using format specifiers (%s). This will cause
any %'s in the banner to be interpreted as format specifiers.

This issue is probably best clarified using a worst case scenario:

- Attacker has taken over a host on a network.
- Attacker has set up a service on "his" host that returns a
malformed banner.
- Admin uses Fscan to sweep his network on a regular basis.
- Admin scans Attacker's PC with banner grabbing on to check for
abnormal services.
- When Admin scans the malicious service, his Fscan is "attacked"
- Attacker has now overwritten the stack and the EIP on Admin's
own PC in the security context Admin was using when he was
scanning.


More Information:
=================
Guardent has published a small whitepaper on Format String Attacks:
http://www.guardent.com/docs/FormatString.PDF


Vendor URL:
===========
You can visit the vendors webpage here: http://www.foundstone.com


Vendor response:
================
The vendor was contacted on the 14th of April, 2002. The vendor
identified the problem as a format string bug. On the 17th of April,
2002 I received a new version of Fscan that solved the issue. On the
18th of April, 2002 the vendor put that version online for download.


Corrective action:
==================
The vendor has corrected the issue and put version 1.14 online:
http://www.foundstone.com/knowledge/proddesc/fscan.html


Author: Peter Gr√ľndl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close