|
COMMAND Foundstone Fscan banner remote format string overflow SYSTEMS AFFECTED Foundstone Fscan 1.12 for Windows PROBLEM In Peter Gründl [pgrundl@kpmg.dk] KPMG Danemark advisory [ID 2002014] : If banner grabbing is turned on, Fscan will print the banner string directly instead of using format specifiers (%s). This will cause any %\'s in the banner to be interpreted as format specifiers. This issue is probably best clarified using a worst case scenario: - Attacker has taken over a host on a network. - Attacker has set up a service on \"his\" host that returns a malformed banner. - Admin uses Fscan to sweep his network on a regular basis. - Admin scans Attacker\'s PC with banner grabbing on to check for abnormal services. - When Admin scans the malicious service, his Fscan is \"attacked\" - Attacker has now overwritten the stack and the EIP on Admin\'s own PC in the security context Admin was using when he was scanning. SOLUTION Get version 1.14 online: http://www.foundstone.com/knowledge/proddesc/fscan.html