COMMAND

	Foundstone Fscan banner remote format string overflow

SYSTEMS AFFECTED

	Foundstone Fscan 1.12 for Windows

PROBLEM

	In Peter Gründl [pgrundl@kpmg.dk] KPMG Danemark advisory [ID 2002014] :
	

	If banner grabbing is turned on, Fscan  will  print  the  banner  string
	directly instead of using format specifiers (%s). This  will  cause  any
	%\'s in the banner to be interpreted as format specifiers.
	

	This issue is probably best clarified using a worst case scenario:
	

	- Attacker has taken over a host on a network.

	- Attacker has set up a service on \"his\" host that returns a

	  malformed banner.

	- Admin uses Fscan to sweep his network on a regular basis.

	- Admin scans Attacker\'s PC with banner grabbing on to check for

	  abnormal services.

	- When Admin scans the malicious service, his Fscan is \"attacked\"

	- Attacker has now overwritten the stack and the EIP on Admin\'s

	  own PC in the security context Admin was using when he was

	  scanning.

	

SOLUTION

	Get version 1.14 online:
	

	http://www.foundstone.com/knowledge/proddesc/fscan.html