[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY2-F347D60BC3A6AB7882C2046CC9B0@phx.gbl>
From: thegusto22 at hotmail.com (Lance Gusto)
Subject: Multiple Backdoors found in eEye Products (IRIS
and Secure
Hey Dave,
I cannot disclosed much information (based on request/threats made by
certain organizations
whom may be involved) I am sure you can understand.
But we have tested Iris versions 3.0 and up ... As I previously stated it
doesn't appear to
exist in the 2.x series of Iris.
I am not the main tester involved here, but I was told that there is some
sort of clandestine
chaining mechanism to create the processes I believe. I will provide the
"lists" I have sent this
too with more information as soon as some of the other testers involved come
back from their
respective holiday breaks.
>From: Dave Aitel <dave@...unitysec.com>
>To: Lance Gusto <thegusto22@...mail.com>
>Subject: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products
>(IRIS and SecureIIS)
>Date: Wed, 29 Dec 2004 11:29:55 -0500
>
>
>>
>>
>>The SecureIIS Backdoor:
>>
>>The SecureIIS backdoor was alot easier to discover but very well
>>placed. The SecureIIS backdoor is triggered by a specifically
>>crafted HTTP HEAD request. Here is a incomplete layout of how
>>to exploit this:
>>
>
>Which version did you test? I'm not seeing it, or any intermodular calls to
>CreateProcess in the DLL that it loads up.
>
>-dave
>
>
>>
>>HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
>>
>>PORT - Will be the port to bind a shell.
>>ADDRESS - Address for priority binding (0 - For any).
>>
>>
>>[snip]
>>
>>
>>
>>Local Deduction:
>>
>>There are a two possiblilites here, either eEye's code has been
>>altered by some attacker or this has been sanctioned by the
>>company (or at least the developers were fully aware of this).
>>
>>
>>
>>Conclusion:
>>
>>It is very very shameful that a somewhat reputable like eEye is acting
>>in a very childish, unprofessional manner. I figure that is why the
>>code is closed source. There are several active exploits available that I
>>(the author of this advisory) didn't create floating around. The only
>>logical solution will be to not use the mentioned eEye products for the
>>time being or at least downgrade to the non-backdoored versions.
>>
>>We will be investigation eEye's Blink Product for any clandestine
>>backdoors.
>>
>>_________________________________________________________________
>>FREE pop-up blocking with the new MSN Toolbar – get it now!
>>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Powered by blists - more mailing lists