From Marshall.beddoe@foundstone.com Fri Sep 20 05:12:32 2002 From: Marshall Beddoe To: announce Date: Wed, 18 Sep 2002 09:59:34 -0700 Subject: [VulnWatch] Foundstone Research Labs Advisory - Remotely Exploitable Buffer Overflow in ISS Scanner Foundstone Research Labs Advisory - 091802-ISSC Advisory Name: Remotely Exploitable Buffer Overflow in ISS Scanner Release Date: September 18, 2002 Application: ISS Scanner 6.2.1 Platforms: Windows NT/2000/XP Severity: Remote code execution Vendors: Internet Security Systems (http://www.iss.net) Authors: Tony Bettini (tony.bettini@foundstone.com) CVE Candidate: CAN-2002-1122 Reference: http://www.foundstone.com/advisories Overview: The license banner HTTP check performed by ISS Scanner does not check the length of the data returned by the web server being tested. As a result, a malicious host could be configured to return a long HTTP response that causes code execution on the ISS Scanner host. Detailed Description: A malicious web server could be setup to return a long HTTP result code, such that when the ISS Scanner attempts to perform a license advertisement via an HTTP banner check, a reply is returned that executes arbitrary code on the ISS Scanner host. Vendor Response: ISS has issued a fix for this vulnerability. It is included within X-Press Update 6.17. Solution: We recommend applying the vendor patch. Disclaimer: The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing, but no representation of any warranty is given, express, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way.