lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: joeypork at hushmail.com (joeypork@...hmail.com) Subject: Snort and SourceFire "Backdoored" I guess now that we have this incident validated as positively true from the main Snort/SourceFire IT person, it lends a lot of credibility to the Snort/SourceFire "backdoor" rumor. There have been lots of rumors on IRC that a few months ago, some of the PHC guys were able to compromise the snort CVS tree. Instead of creating a traditional backdoor in Snort/SourceFire (simply opening a rootshell on a specific port) they changed a lot of the code to introduce buffer overflows that didnt exist previously, and could be exploited at a later point in time. They changed a lot of the code to include strcpys where there was strncpys and such. This is a lot less noticeable than PHC's other open source security project trojan code inserts, such as the libpcap, dsniff, and sendmail compromises. Brian Caswell has said that Sourcefire did a major code audit after discovering this compromise, which I think is very cool of them. Code audits can be very expensive, and Im sure SourceFire footed the bill. But, the question remains, how long were all of us exposed? And, why did we learn of all this from blackhats releasing a fake phrack, rather than from Snort/SourceFire? I find it high disturbing that this is how the whole incident unfolded, as many Snort team members have ragged on the industry practice of hiding major security incidents in the past. Don't we Snort users have the right to know if our code has been trojaned and Snort/Sourcefire compromised? Maybe not, but the paying customers of SourceFire for sure do. Joey On Sun, 21 Sep 2003 02:08:15 -0700 Brian <bmc@...rt.org> wrote: >On Sat, Sep 20, 2003 at 10:46:14PM -0700, joeypork@...hmail.com wrote: >> Hey, has anyone else seen this: >> >> http://www.phrack.nl/phrack62/p62-0x0d.txt >> >> It looks like the PHC folks are at it again, the above is an article >> on "sneeze", a new script that will generate traffic to trigger >on every >> snort rule. >> >> Also, appended to the end of the article is the home dirs of everyone >> at Sourcefire/Snort. You can see what is in Marty's directory, > etc. Go >> check it out. > >Yes, this was a LONG time ago. Note that ALL of the date timestamps >are >dashed out. Gee, I wonder why. As well as normal incident response, >> >the entire snort team did a major audit of snort at that time for >anything >injected. > >BTW, for those of you wanting the original sneeze, its still available >> >online at http://snort.sourceforge.net/sneeze-1.0.tar > >-brian > > Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists