| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Nov 2008 09:18:17 +1100 From: Fionnbharr <thouth@...il.com> To: "Adrian P" <unknown.pentester@...il.com> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Universal Website Hijacking by Exploiting Firewall Content Filtering Features + SonicWALL firewalls 0day Sure, this attack vector has been 'discovered' by lots of people in the past, or even concurrently, thats my point. It doesn't merit a whole paper on it. Not to mention you're getting on the FUD/Kaminsky bandwagon when GNUtards release a statement like 'New technique to universally hijack websites', trying to get some media attention for something everyone else already knew. re: the bluecoat vuln, if you read my post I just said it was a recent (or as you might put it, *recent*) example of this type of vulnerability. I've this sort of vuln myself with client software and so has a number of other people I know. Glad to see the majority of your email is completely irrelevant. 2008/11/1 Adrian P <unknown.pentester@...il.com>: > Hello Fionnbharr, > > Please see my response to your comments in-line. > > On Fri, Oct 31, 2008 at 8:31 AM, Fionnbharr <thouth@...il.com> wrote: >> This isn't new. It isn't even a technique. >> >> http://www.bluecoat.com/support/securityadvisories/icap_patience >> >> A very recent example of this kind of vulnerability. My god you >> gnucitizen people are retarded. At least you didn't give it a >> ridiculous name like 'clickjacking'. Can you GNUtards please keep your >> 'research' into subjects people already know to yourself or at least >> not post it the lists, then at least I won't have to see it. > > That Bluecoat advisory was released on 29 September 2008. What makes > you think that I did not discover the SonicWALL vulnerability/vector > and reported it to ZDI *way before* that date? Well, FYI I reported it > to ZDI in June 2008 and discovered it even before. > > At least, you should consider the possibility of the attack vector > being discovered by two researchers concurrently. It can take quite a > few months before the vendor provides a patch, not to mention that > SonicWALL was VERY slow to confirm the vulnerability. > > Don't you know that responsible disclosure means that the details of a > vulnerability can be held for quite a while before being released to > the public? Since when the publishing date of an advisory is equal to > discovery date? > > Furthermore, it appears that Bluecoat only released their advisory > *after* the researcher jplopezy made his advisory public, which could > suggest that he did NOT inform the vendor before releasing the > details: > > http://www.securityfocus.com/archive/1/496940/30/0/threaded > > It's also interesting that the researcher released the advisory > (bugtraq post) one day *after* I published the general description of > the attack: > > June 25th, 2008. > ZDI forwards my findings to SonicWALL (see "Disclosure Timeline"): > http://www.zerodayinitiative.com/advisories/ZDI-08-070/ > > September 20th, 2008. > I publish the general description of the attack: > http://www.gnucitizen.org/blog/new-technique-to-perform-universal-website-hijacking/ > > September 21th, 2008. > Researcher jplopezy finds the same attack vector on BlueCoat's web filter: > http://www.securityfocus.com/archive/1/496577/30/0/threaded > > Notice jplopezy published the bugtraq post *one day after* I published > the general attack description on GNUCITIZEN. Interesting? > > Please do your homework before many any accusations. > >> >> Also "Malaysia: Cracking into Embedded Devices and Beyond!", who the >> fuck uses the word 'cracking' instead of 'hacking' in 2008? Sure for >> cracking passwords, but wow. > > Can't you accept the idea some some of us still consider hacking and > breaking into a system not necessarily the same thing? > > Regards, > ap. > >> >> 2008/10/31 Adrian P <unknown.pentester@...il.com>: >>> Hello folks, >>> >>> Yesterday, I presented for the first time [1] a new method to perform >>> universal website hijacking by exploiting content filtering features >>> commonly supported by corporate firewalls. I briefly discussed [2] the >>> finding on GNUCITIZEN in the past without giving away the details, but >>> rather mentioning what the attacker can do and some characteristics of >>> the attack. >>> >>> Anyway, I'm now releasing full details on how the technique works, and >>> a real 0day example against SonicWALL firewalls. >>> >>> The paper can be found on the GNUCITIZEN labs site. Please let me know >>> if you can successfully use the same technique against firewalls by >>> other vendors: >>> >>> http://sites.google.com/a/gnucitizen.org/lab/research-papers >>> >>> Finally, I'd like to thank Zero Day Initiative [3] for their great >>> work and the Hack in the Box crew for organizing such a fine event! >>> >>> Regards, >>> ap. >>> >>> REFERENCES >>> >>> [1] "HITBSecConf2008 - Malaysia: Cracking into Embedded Devices and Beyond!" >>> http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=186 >>> >>> [2] "New technique to perform universal website hijacking" >>> http://www.gnucitizen.org/blog/new-technique-to-perform-universal-website-hijacking/ >>> >>> [3] "SonicWALL Content-Filtering Universal Script Injection Vulnerability" >>> http://www.zerodayinitiative.com/advisories/ZDI-08-070/ >>> >>> -- >>> Adrian "pagvac" Pastor | GNUCITIZEN >>> gnucitizen.org >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >
Powered by blists - more mailing lists