| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY2-F347D60BC3A6AB7882C2046CC9B0@phx.gbl> From: thegusto22 at hotmail.com (Lance Gusto) Subject: Multiple Backdoors found in eEye Products (IRIS and Secure Hey Dave, I cannot disclosed much information (based on request/threats made by certain organizations whom may be involved) I am sure you can understand. But we have tested Iris versions 3.0 and up ... As I previously stated it doesn't appear to exist in the 2.x series of Iris. I am not the main tester involved here, but I was told that there is some sort of clandestine chaining mechanism to create the processes I believe. I will provide the "lists" I have sent this too with more information as soon as some of the other testers involved come back from their respective holiday breaks. >From: Dave Aitel <dave@...unitysec.com> >To: Lance Gusto <thegusto22@...mail.com> >Subject: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products >(IRIS and SecureIIS) >Date: Wed, 29 Dec 2004 11:29:55 -0500 > > >> >> >>The SecureIIS Backdoor: >> >>The SecureIIS backdoor was alot easier to discover but very well >>placed. The SecureIIS backdoor is triggered by a specifically >>crafted HTTP HEAD request. Here is a incomplete layout of how >>to exploit this: >> > >Which version did you test? I'm not seeing it, or any intermodular calls to >CreateProcess in the DLL that it loads up. > >-dave > > >> >>HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1 >> >>PORT - Will be the port to bind a shell. >>ADDRESS - Address for priority binding (0 - For any). >> >> >>[snip] >> >> >> >>Local Deduction: >> >>There are a two possiblilites here, either eEye's code has been >>altered by some attacker or this has been sanctioned by the >>company (or at least the developers were fully aware of this). >> >> >> >>Conclusion: >> >>It is very very shameful that a somewhat reputable like eEye is acting >>in a very childish, unprofessional manner. I figure that is why the >>code is closed source. There are several active exploits available that I >>(the author of this advisory) didn't create floating around. The only >>logical solution will be to not use the mentioned eEye products for the >>time being or at least downgrade to the non-backdoored versions. >> >>We will be investigation eEye's Blink Product for any clandestine >>backdoors. >> >>_________________________________________________________________ >>FREE pop-up blocking with the new MSN Toolbar – get it now! >>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.netsys.com/full-disclosure-charter.html > > _________________________________________________________________ Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Powered by blists - more mailing lists