RE: Cybercop scanner returning false positive? IPP overflow on IIS4

["Marc Maiffret" <marc () eeye com>]

Retina 3.5 beta is smart enough to test for the IPP overflow by using a
certain buffer size which returns differently on patched/unpatched systems
so we can therefore tell remotely if a system is vulnerable or not without
having to crash the service.

I forget the exact buffer size we send but I am sure someone can sniff
retina and figure it out.

If anyone has problems with Retina 3.5 detecting the IPP overflow correctly
then send me an email personally and we will make sure to work to fix it
ASAP!

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Web Application Firewall

| -----Original Message-----
| From: Max Vision [mailto:vision () whitehats com]
| Sent: Friday, May 25, 2001 2:45 PM
| To: PEN-TEST () securityfocus com; Colin_Kushnier () TD COM
| Subject: Re: Cybercop scanner returning false positive? IPP overflow on
| IIS4
|
|
| Hi,
|
| This may be the same issue was raised by Paul Cardon <paul () moquijo com> on
| Bugtraq a few weeks ago.  He wasn't talking about Cybercop in particular,
| but it is likely that they suffer from the same failed testing
| methodology.
|
| Cybercop sends a "host:" overflow of 420 "A" characters (someone there has
| a sense of humor:) which is sufficiently long to trigger the overflow.
| However it may be too long, causing the server to stop responding.  The
| proposed solution is to send just slightly over the trigger threshold that
| causes a patched server to not respond (>256 characters) yet not overflow
| the buffer.  ipptest.pl sends 257 bytes. webexplt.pl sends 430 bytes.
|
| Paul's summary was:
| - If no response is returned the system has been patched.
| - If a 500 error is returned the server is unpatched.
| - If a 404 error is returned the .printer mapping has been removed.
|
| So Cybercop's new module 10091 (in mod10000.dll) is probably using the
| "no-response" method of testing and sending too long of a string.  I don't
| want to publicly reverse engineer what they are doing (ahem) so I can only
| offer my guess.
|
| I do not know why the tests would come back differently in your two
| environments though.
|
| I have packet captures of the Cybercop test if anyone is interested.
|
| Max Vision
| http://whitehats.com/
|
| On Fri, 25 May 2001 Colin_Kushnier () TD COM wrote:
| > I have a question regarding the behavior of module 10091 (newly
| released in
| > update 5.5-200106?) in Cybercop 5.5 on NT4.
| >
| > While scanning a group of IIS4.0 servers in one environment,
| this module, which
| > checks for the IIS IPP ISAPI extension buffer overflow of
| Microsoft bulletin
| >
<http://www.microsoft.com/technet/security/bulletin/MS01-023.asp> returns
> positive. According to the bulletin and my understanding of the
vulnerability,
> it affects IIS5.0 only.
> Scanning IIS4.0 servers in a different environment returns no results for
this
> module, ie. false.
>
> I haven't yet contacted NAI, I was wondering if anyone has seen similar
> results...
>
> Thanks,
>
> Colin