Errata: Microsoft Security Tool has bugs

From: Carsten Kiess (mail@carstenkiess.de)
To: mailinglist full-disclosure (full-disclosure@lists.netsys.com)
Date: Fri, 15 Aug 2003 17:22:01 +0200
Subject: [Full-Disclosure] Microsoft Scanning Tool, Parameterhandling


Hello,

anyone already used the Scanning Tool from MS? 
( http://www.microsoft.com/downloads/details.aspx?FamilyID=c8f04c6c-b71b-4992-91f1-aaa785e709da&DisplayLang=en ) 

a) The download has the same name as the patch, minor but may be irritating and 
b) it seems to reverse the input parameters (see below) and 
c) can maybe somebody explain why it scans an IP-Range which is not in the 
   specified bounds in either case? Specification is:

Targets can take any of the following forms:

    a.b.c.d             - IP address
    a.b.c.d-i.j.k.l     - IP address range
    a.b.c.d/mask        - IP address with CIDR mask
    host                - unqualified hostname
    host.domain.com     - fully-qualified domain name
    localhost           - check local machine

What it actually does is:

C:\Programme\KB823980Scan>kb823980scan 213.196.135.1-213.169.135.2 <=== Input Parms 1

Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86
Copyright (c) Microsoft Corporation 2003. All rights reserved.

<+> Starting scan (timeout = 5000 ms)

Checking 213.169.135.2 - 213.196.135.1               <=== That's what it takes for scanning ....
213.169.135.42: connection to tcp/135 refused     <=== These are the results for try 1
213.169.135.87: connection to tcp/135 refused
213.169.135.84: connection to tcp/135 refused
213.169.135.81: connection to tcp/135 refused
213.169.135.85: connection to tcp/135 refused
213.169.135.82: connection to tcp/135 refused
213.169.135.86: connection to tcp/135 refused
^C
C:\Programme\KB823980Scan>kb823980scan 213.196.135.2-213.169.135.1 <=== Input Parms 1

Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86
Copyright (c) Microsoft Corporation 2003. All rights reserved.

<+> Starting scan (timeout = 5000 ms)

Checking 213.169.135.1 - 213.196.135.2             <=== That's what it takes for scanning ....
213.169.135.42: connection to tcp/135 refused    <=== These are the results for try 1
213.169.135.85: connection to tcp/135 refused
213.169.135.82: connection to tcp/135 refused
213.169.135.86: connection to tcp/135 refused
213.169.135.87: connection to tcp/135 refused
213.169.135.84: connection to tcp/135 refused
213.169.135.81: connection to tcp/135 refused
^C
C:\Programme\KB823980Scan>

and d) a log-file did not show up in the current directory as documented (not on the html-page supplied but as pgm-help when calling w/o parms), but maybe it must be explicitly requested ...

Did I get something wrong? Nervous, tense, tired?  And last:

"Targets can be specified on the command line & in user-specified input files.
...
kb823980scan will create a list of vulnerable systems (unpatched as well
as those with KB823980 installed) in the current working directory. This file
should be fed as input to the autopatching script that you write. This file
will be named "Vulnerable.txt" by default. Its name can be changed with the
/o switch."

Hm. Could be used the other way round ... Has anybody ever heard of "speeding up" a worm? Somebody who could be interested to "sideattack" a specific site?

    Carsten