Re: ISS Internet Scanner Cannot be relied upon for conclusive

[adam () HOMEPORT ORG (Adam Shostack)]

On Tue, Feb 09, 1999 at 10:06:16AM -0500, der Mouse wrote:
| >> [...] the old ioslogon bug [...ISS didn't find it...]
|
| > [...response from someone who writes as if on behalf of ISS's makers;
| > I can't recall whether mindspring.com is the ISS people or not...]

David is with ISS, I'm with Netect.  I post from homeport because
thats where I've been subscribed to bugtraq, and because these
opinions are not those of my employer.

| If ISS claims to check for the ioslogon bug, but actually checks (by
| whatever means) for software versions known to have that bug, the claim
| is a lie.  If you claim to check for the ioslogon bug, then that's what
| you should do: try to exploit it and see if it works.  Who knows, maybe
| there's another vulnerable version out there, or perhaps some
| supposedly vulnerable versions don't happen to be vulnerable after all.

        Unfortunately, its not that simple in many cases.  Lets look
at majordomo's reply-to bug as an example.  You send mail to
majordomo, with a reply-to address in backticks.  Majordomo helpfully
runs the command for you.  Simply doing this and seeing if it works is
not easy; the command is queued through mail for running later.  How
long should a scanner wait for a response?

        IOS is actually a cleaner case than many; if you have a cisco,
its either vulnerable or not; the IOS version, if you can get it,
tells you if the machine is vulnerable with a fair degree of
reliability.  The alternative, which is ask the admin to enter all
their admin passwords so that the scanner can log in and check things
precisely, makes the scanner host a very fat and attractive target.

Adam

--
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume