[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3ebca231.de77c9d1@s-mail.com>
From: mordred at s-mail.com (Sir Mordred)
Subject: @(#)Mordred Labs security notice - exploring the honeypot(s) in the wild
// @(#)Mordred Labs security notice 0x0003
Name: Exploring the honeypot(s) in the wild
Release date: May 10, 2003
Author: Sir Mordred (mordred@...ail.com)
I. INTRODUCTION
This is a second part of the security notice devoted to security companies.
Then why its called "Exploring the honeypots in the wild"?
Well, its simple, when i visited http://xfiw.iss.net and have read:
<quote>
As a normal course of their research, the ISS X-Force? places servers on
the Internet
to monitor hacker activity, propagation of Internet worms and to serve as
targets for attack.
These servers are known as honeypots. In some cases, honeypots are
purposely left insecure
and mis-configured. Some honeypots are "visible" to the public via web
servers and web pages
that are placed on the servers. All of ISS honeypots are constantly
monitored by the X-Force
to better understand widely used hacking tools and techniques, but to also
to identify new attack
routines and vulnerabilities. Several X-Force personnel are members of the
Honeynet Research Alliance.
</quote>
i laughed myself into fits and because of this nice quote i decided to
devote the whole notice to ISS.
After reading this notice you should clearly understand several important
points:
1) all of the ISS public servers are honeypots (i.e. serve as target for
attack),
which in all cases "purposely left insecure and mis-configured"
2) not just several, but all of the X-Force personnel, including ISS tech
personnel,
including their admins/programmers are members of the Honeypost Research
Alliance,
so the notice should make you think twice before acquiring ISS service,
because you probably
dont want your system to be just another honeypot on the net.
3) the notice will make to look some of the people as assholes, sorry for
that.
4) the notice will show how is the security audit looks like, web app audit
in particular,
so i expect many security expers and pen-testers will be highly suprised
when
they will hear that the security audit is not just
nmaping/nessusing/whiskering the target system.
5) it seems that some ISS web developers never heard about try { lame code
here } catch(Throwable t) {} trick,
maybe some Java tutorial like
http://www.tutorialbooks.com/for_dummies_idiots_guides/subjects/java_tutoria
l.htm would very be helpful ...
wait, what? ... damn, i forgot that this is a honeypot! and it is
"purposely left insecure and mis-configured"...
As always, the format for vulnerabilities is:
<number>) [hostname, the company name]
quotes, comments (if exists)
* ISSUE <number> - description of the vulnerability
blank line
comments (if exists)
blank line
the url to demonstrate this vulnerability
blank line
the error message (if exists)
II. DETAILS
[ www.iss.net, Internet Security Systems Inc. ]
* ISSUE 1 - Multiple CSS vulnerabilities
I will not describe all of the CSS (there are too many of them)
vulnerabilities here, just one example.
http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=">[JAVASCRIP
T]<"
* ISSUE 2 - Path disclosure in /issEn/delivery/eventdetails.jsp
http://www.iss.net/issEn/delivery/eventdetails.jsp?BV_EngineID=ccccadchmgkkk
jdcgencfhidglgdgij.0&oid=1
Script /opt/bvvar/english/scripts/delivery/eventdetails.jsp failed, reason:
cnt.get has no properties
* ISSUE 3 - Path disclosure in /issEn/delivery/eventscalendar.jsp
http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=EM'
Script /opt/bvvar/english/scripts/delivery/eventscalendar.jsp failed,
reason: eventlist has no properties
* ISSUE 4 - SQL injection in /issEn/MYISS/EditInfo.jhtml
https://www.iss.net/issEn/MYISS/EditInfo.jhtml?sid=s'
Received an exception:
Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
properly terminated
* ISSUE 5 - SQL injection in /issEn/DLC/evalForm.jhtml
https://www.iss.net/issEn/DLC/evalForm.jhtml?sid=s'
Received an exception:
Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
properly terminated
________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030510/0e45c474/attachment.html
Powered by blists - more mailing lists