lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: thegusto22 at hotmail.com (Lance Gusto)
Subject: Multiple Backdoors found in eEye Products (IRIS
	and Secure


Hey Dave,


I cannot disclosed much information (based on request/threats made by 
certain organizations
whom may be involved) I am sure you can understand.

But we have tested Iris versions 3.0 and up ... As I previously stated it 
doesn't appear to
exist in the 2.x series of Iris.

I am not the main tester involved here, but I was told that there is some 
sort of clandestine
chaining mechanism to create the processes I believe. I will provide the 
"lists" I have sent this
too with more information as soon as some of the other testers involved come 
back from their
respective holiday breaks.


>From: Dave Aitel <dave@...unitysec.com>
>To: Lance Gusto <thegusto22@...mail.com>
>Subject: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products 
>(IRIS and SecureIIS)
>Date: Wed, 29 Dec 2004 11:29:55 -0500
>
>
>>
>>
>>The SecureIIS Backdoor:
>>
>>The SecureIIS backdoor was alot easier to discover but very well
>>placed. The SecureIIS backdoor is triggered by a specifically
>>crafted HTTP HEAD request. Here is a incomplete layout of how
>>to exploit this:
>>
>
>Which version did you test? I'm not seeing it, or any intermodular calls to 
>CreateProcess in the DLL that it loads up.
>
>-dave
>
>
>>
>>HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
>>
>>PORT - Will be the port to bind a shell.
>>ADDRESS - Address for priority binding (0 - For any).
>>
>>
>>[snip]
>>
>>
>>
>>Local Deduction:
>>
>>There are a two possiblilites here, either eEye's code has been
>>altered by some attacker or this has been sanctioned by the
>>company (or at least the developers were fully aware of this).
>>
>>
>>
>>Conclusion:
>>
>>It is very very shameful that a somewhat reputable like eEye is acting
>>in a very childish, unprofessional manner. I figure that is why the
>>code is closed source. There are several active exploits available that I
>>(the author of this advisory) didn't create floating around. The only
>>logical solution will be to not use the mentioned eEye products for the
>>time being or at least downgrade to the non-backdoored versions.
>>
>>We will be investigation eEye's Blink Product for any clandestine 
>>backdoors.
>>
>>_________________________________________________________________
>>FREE pop-up blocking with the new MSN Toolbar – get it now! 
>>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ