26th Sep 2002 [SBWID-5298]
COMMAND
	Foundstone Fscan banner remote format string overflow
SYSTEMS AFFECTED
	Foundstone Fscan 1.12 for Windows
PROBLEM
	In Peter Gründl [[email protected]] KPMG Danemark advisory [ID 2002014] :
	If banner grabbing is turned on, Fscan  will  print  the  banner  string
	directly instead of using format specifiers (%s). This  will  cause  any
	%'s in the banner to be interpreted as format specifiers.
	This issue is probably best clarified using a worst case scenario:
	
	- Attacker has taken over a host on a network.
	- Attacker has set up a service on "his" host that returns a
	  malformed banner.
	- Admin uses Fscan to sweep his network on a regular basis.
	- Admin scans Attacker's PC with banner grabbing on to check for
	  abnormal services.
	- When Admin scans the malicious service, his Fscan is "attacked"
	- Attacker has now overwritten the stack and the EIP on Admin's
	  own PC in the security context Admin was using when he was
	  scanning.
	
SOLUTION
	Get version 1.14 online:
	
	http://www.foundstone.com/knowledge/proddesc/fscan.html