Bugtraq mailing list archives

Re: ISS Internet Scanner Brute Force Bug

From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Thu, 18 Feb 1999 17:26:49 -0500


At 11:54 PM 2/17/99 PST, alexander tampermeier wrote:

The Internet Scanner lets you brute force by using username/password
pairs specified in the file default.login. I specified a known
username/password pair but the scanner could not login.
The reason is that the Internet Scanner needs a carriage return after
the last username/password pair. If it finds just an EOF marker then the
password gets modified by adding an additional character.
For example the password test is modified to testo.


I believe I fixed this several revisions ago.  Although this may be
_BUG_TRAQ, the best place to report bugs in the scanner is to
support () iss net.  I'd suggest that you use vi, notepad, or some reasonable
text editor in the meantime.  Just what text editor are you using?

In fact, I know I fixed this quite a while back, because I remember clearly
having to use VC++'s editor in binary mode to be able to produce a file
which would cause this problem.  If you're running a recent version of the
scanner, please report which version to support () iss net, and I'm sure we'll
get it fixed.


David LeBlanc
dleblanc () mindspring com

Current thread:

ISS Internet Scanner Brute Force Bug alexander tampermeier (Feb 17)
- Re: ISS Internet Scanner Brute Force Bug David LeBlanc (Feb 18)
- ISS forum Christopher Klaus (Feb 18)
- L0pht Security Advisory: Windows NT Dildog (Feb 18)
- <Possible follow-ups>
- Re: ISS Internet Scanner Brute Force Bug David LeBlanc (Feb 19)