26th Sep 2002 [SBWID-5321]
	Format string vulnerability in FScan
	FScan 1.12
	Foundstone Advisory [http://www.foundstone.com/advisories.htm]
	FScan is a free, unsupported TCP/UDP port scanning and  banner  grabbing
	tool for Windows, available  for  download  from  Foundstone;  the  last
	version (1.1 2) was released in August of  2000.  FScan  should  not  be
	confused  with   Founds   tone's   commercially   available   enterprise
	vulnerability management software, FoundScan,  which  is  unaffected  by
	this issue.
	 Problem Description
	Using FScan with banner selected via the -b command  line  switch  could
	cause a problem if the banner received from the  remote  host  contained
	C-style pr intf format specifiers  e.g.  percent  symbols  that  matched
	string or numeric format specifiers such as "%s" or "%d" etc.
	When banner output to the command line is performed, the  received  data
	is p laced in a stack buffer, replacing  non-printable  characters  with
	2-digit HE X equivalents (this has been changed in version 1.14 to  show
	just dots '.' for non-printable characters).  After  the  output  string
	had been constructed a call to the  "OutPrintf"  function  was  made  to
	display the string. OutPrin tf is defined as a variable  parameter  type
	function in the style of printf.
	void OutPrintf(const char *fmt,...)
	char szBuffer[2048];
	va_list list;
	va_start(list, fmt);
	_vsnprintf(szBuffer, sizeof(szBuffer), fmt, list);
	// zero-terminate the string in case it exceeded the buffer size
	szBuffer[sizeof(szBuffer) - 1] 3D '\0';
	fprintf(ghOutputFile, szBuffer);
	The problem occurs on the last line shown where the string  in  szBuffer
	is  s  ent  directly  to  fprintf  without  specifying  a  "%s"   format
	specified.  If  for  example,  the  string  in  szBuffer  contains   the
	characters "%d" then fprintf w ill expect to find a number on the  stack
	to format in the output. The same would happen if "%s" was found but  in
	this case it would try to pull a zero terminated string  off  the  stack
	to format.
	The correct format for the fprintf command should have been:
	fprintf(ghOutputFile, "%s", szBuffer);
	to force the command to take szBuffer as a  literal  string  instead  of
	trying to parse format specifiers out of it.
	An attacker could setup a service with a banner that  contained  exploit
	code to execute a format string overflow against the  fscan.exe  process
	on the s canning machine and possibly gain the privileges  of  the  user
	conducting the scan.
	Upgrade to FScan 1.14. FScan 1.14 is now available for download at
	Foundstone would like to thank Peter GrFCndl [email protected] for bringin
	g this issue to our attention.
	The information contained in this advisory is the Copyright(c) 2002 of Foun
	dstone, Inc. and believed to be accurate at the time of printing, but no re
	presentation or warranty is given, express or implied, as to its accuracy o
	r completeness. Neither the author nor the publisher accepts any liability 
	whatsoever for any direct, indirect or consequential loss or damage arising
	 in any way from any use of, or reliance placed on, this information for an
	y purpose. This advisory may be redistributed provided that no fee is assig
	ned and that the advisory is not modified in any way.