Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2812
HistoryApr 20, 2002 - 12:00 a.m.

KPMG-2002014: Foundstone Fscan Format String Bug

2002-04-2000:00:00
vulners.com
16

Title: Foundstone Fscan Format String Bug

BUG-ID: 2002014
Released: 19th Apr 2002

Problem:

A flaw in Foundstone Fscan could result in a malicious service
banner overwriting the stack and the EIP on the PC performing the
scanning.

Vulnerable:

  • Foundstone Fscan 1.12 for Windows

Details:

If banner grabbing is turned on, Fscan will print the banner string
directly instead of using format specifiers (%s). This will cause
any %'s in the banner to be interpreted as format specifiers.

This issue is probably best clarified using a worst case scenario:

  • Attacker has taken over a host on a network.
  • Attacker has set up a service on "his" host that returns a
    malformed banner.
  • Admin uses Fscan to sweep his network on a regular basis.
  • Admin scans Attacker's PC with banner grabbing on to check for
    abnormal services.
  • When Admin scans the malicious service, his Fscan is "attacked"
  • Attacker has now overwritten the stack and the EIP on Admin's
    own PC in the security context Admin was using when he was
    scanning.

More Information:

Guardent has published a small whitepaper on Format String Attacks:
http://www.guardent.com/docs/FormatString.PDF

Vendor URL:

You can visit the vendors webpage here: http://www.foundstone.com

Vendor response:

The vendor was contacted on the 14th of April, 2002. The vendor
identified the problem as a format string bug. On the 17th of April,
2002 I received a new version of Fscan that solved the issue. On the
18th of April, 2002 the vendor put that version online for download.

Corrective action:

The vendor has corrected the issue and put version 1.14 online:
http://www.foundstone.com/knowledge/proddesc/fscan.html

Author: Peter Gründl ([email protected])


KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.