-------------------------------------------------------------------- Title: Foundstone Fscan Format String Bug BUG-ID: 2002014 Released: 19th Apr 2002 -------------------------------------------------------------------- Problem: ======== A flaw in Foundstone Fscan could result in a malicious service banner overwriting the stack and the EIP on the PC performing the scanning. Vulnerable: =========== - Foundstone Fscan 1.12 for Windows Details: ======== If banner grabbing is turned on, Fscan will print the banner string directly instead of using format specifiers (%s). This will cause any %'s in the banner to be interpreted as format specifiers. This issue is probably best clarified using a worst case scenario: - Attacker has taken over a host on a network. - Attacker has set up a service on "his" host that returns a malformed banner. - Admin uses Fscan to sweep his network on a regular basis. - Admin scans Attacker's PC with banner grabbing on to check for abnormal services. - When Admin scans the malicious service, his Fscan is "attacked" - Attacker has now overwritten the stack and the EIP on Admin's own PC in the security context Admin was using when he was scanning. More Information: ================= Guardent has published a small whitepaper on Format String Attacks: http://www.guardent.com/docs/FormatString.PDF Vendor URL: =========== You can visit the vendors webpage here: http://www.foundstone.com Vendor response: ================ The vendor was contacted on the 14th of April, 2002. The vendor identified the problem as a format string bug. On the 17th of April, 2002 I received a new version of Fscan that solved the issue. On the 18th of April, 2002 the vendor put that version online for download. Corrective action: ================== The vendor has corrected the issue and put version 1.14 online: http://www.foundstone.com/knowledge/proddesc/fscan.html Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------