[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY2-F3033C6EE6D0F7EEA11A23DCC9C0@phx.gbl>
From: thegusto22 at hotmail.com (Lance Gusto)
Subject: Multiple Backdoors found in eEye Products
(IRISand SecureI
Hey Marky Mark and the Funky Bunch,
I will make this short and sweet (I know you have some hair dying to
perform).
If you have no backdoors in your products then I guess you have nothing to
worry about... :)
I would have a real "debate" with you, but your clearly UNARMED. :)
P.S:
I have to say your products are (not) great, they *really* (un)secure
networks.
Your company is also the leading authority on (pseudo) security....
Vulnerability
is (not) over!.
Personally I should say: "Lose the weight and you just might gain a clue."
:)
Squeeze through Mr. Marky Mark (CHO)
>From: "Marc Maiffret" <mmaiffret@...e.com>
>To: "Lance Gusto" Date: Wed, 29 Dec 2004 17:33:11 -0800
>
>Hi Lance Gusto,
>
>It is really interesting that someone with such a disdain for my company
>would go out of their way to spam out an email about a supposed backdoor
>within our products, choose not to contact us ahead of time, and then
>provide no real details to prove your claim... Ahhh but wait, you chose
>not to provide any details because you're a "good guy". As you said:
>"Unfortunately, we can't release the "exploits" publicly due to the
>severity of these flaws." Right.
>
>The reason you could not provide any real details about these backdoors
>are because there are no backdoors in Iris nor SecureIIS.
>
>While I would not wish to give someone like you the time of day nor 15
>minutes of infamy, eEye does take every security claim very seriously.
>We have performed an audit of SecureIIS and Iris code to re-verify what
>we already knew, that there are no backdoors in either of them.
>
>It is quite possible that you downloaded fake warez versions of our
>products from peer-to-peer networks which someone might have put there
>to trick people and put backdoors on their systems. However, if such
>warez product versions existed they would not be from eEye as we do not
>distribute our software on peer-to-peer networks nor recommend people
>downloading warez versions from there. Get your warez from a trusted
>distributor. ;-) If you would have contacted us we could have saved you
>the embarrassment... But then you are sending emails from Hotmail
>through a proxy at a university in Germany so I seriously doubt you care
>if your persona "Lance Gusto" gets embarrassed on public mailing lists.
>
>
>These backdoors are as much of a reality as Santa Claus but then you
>seem to be childish enough that you probably still believe in the jolly
>red man. Maybe next you can follow-up your humors eMail with a spoofed
>advisory about a backdoor you found in Rudolph "the red nosed reindeer".
>At least then you could promote yourself from being a coward to a
>comedian.
>
>Thank you, please drive through.
>
>Signed,
>Marc Maiffret
>Chief Hacking Officer
>eEye Digital Security
>T.949.349.9062
>F.949.349.9538
>http://eEye.com/Blink - End-Point Vulnerability Prevention
>http://eEye.com/Retina - Network Security Scanner
>http://eEye.com/Iris - Network Traffic Analyzer
>http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
>
>Important Notice: This email is confidential, may be legally privileged,
>and is for the intended recipient only. Access, disclosure, copying,
>distribution, or reliance on any of it by anyone else is prohibited and
>may be a criminal offense. Please delete if obtained in error and email
>confirmation to the sender. P.S. I'm going to tell you this for your own
>benefit, your email was dope as hell especially since you faked 90
>percent of it. What you need to do is practice on your freestyle before
>you come up missing like triple m's police file.
>
>| -----Original Message-----
>| From: full-disclosure-bounces@...ts.netsys.com
>| [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf
>| Of Lance Gusto
>| Sent: Tuesday, December 28, 2004 8:12 PM
>| To: vuln-dev@...urityfocus.com;
>| ntbugtraq@...tserv.ntbugtraq.com; bugs@...uritytracker.com;
>| full-disclosure@...ts.netsys.com;
>| news-editor@...urityfocus.com; press@...-security.org
>| Subject: [Full-Disclosure] Multiple Backdoors found in eEye
>| Products (IRISand SecureIIS)
>|
>| Multiple Backdoors found in eEye Products (IRIS and
>| SecureIIS) L. Gusto <thegusto22@...mail.com>
>|
>|
>| Summary:
>|
>| During meticulous testing of both eEye's IRIS and SecureIIS
>| products, we (my testing team) have discovered multiple
>| backdoors in the latest of both mentioned products and some
>| older versions we could acquire.
>|
>|
>| These backdoors are very cleverly hidden (kudos to the
>| authors), I personally don't condone illegally backdooring
>| commercial products, and personally I don't think much of
>| eEye but I must give credit to where credit is due.
>|
>|
>| We have tested IRIS 3.7 and up they all appear to have a backdoor.
>| We have verified the IRIS backdoor doesn't exist in versions
>| prior to 3.0
>|
>|
>| We have tested SecureIIS 2.0 and up they all appear to have a
>| backdoor.
>| We have verified that SecureIIS 1.x series does not have this
>| specific backdoor.
>|
>| Bringing the backdoors to light:
>|
>| After long testing we discovered the exact sequences used to
>| active the backdoor. Unfortunately, we can't release the
>| "exploits" publically due to the severity of these flaws. But
>| incomplete examples will be given.
>|
>|
>|
>| The IRIS Backdoor:
>|
>| This one is quite interesting. We have discovered that
>| sending a specifically crafted UDP datagram to a IRIS host
>| *directly* (not through the wire or to host on the network
>| segment) with certain IP options set and a certain magic
>| value at a undisclosed offset in the payload will bind a
>| shell to the source port specified in the UDP datagram.
>|
>| [snip]
>|
>|
>| The SecureIIS Backdoor:
>|
>| The SecureIIS backdoor was alot easier to discover but very
>| well placed. The SecureIIS backdoor is triggered by a
>| specifically crafted HTTP HEAD request. Here is a incomplete
>| layout of how to exploit this:
>|
>|
>| HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
>|
>| PORT - Will be the port to bind a shell.
>| ADDRESS - Address for priority binding (0 - For any).
>|
>|
>| [snip]
>|
>|
>|
>| Local Deduction:
>|
>| There are a two possiblilites here, either eEye's code has
>| been altered by some attacker or this has been sanctioned by
>| the company (or at least the developers were fully aware of this).
>|
>|
>|
>| Conclusion:
>|
>| It is very very shameful that a somewhat reputable like eEye
>| is acting in a very childish, unprofessional manner. I figure
>| that is why the code is closed source. There are several
>| active exploits available that I (the author of this
>| advisory) didn't create floating around. The only logical
>| solution will be to not use the mentioned eEye products for
>| the time being or at least downgrade to the non-backdoored versions.
>|
>| We will be investigation eEye's Blink Product for any
>| clandestine backdoors.
>|
>| _________________________________________________________________
>| FREE pop-up blocking with the new MSN Toolbar - get it now!
>| http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>|
>| _______________________________________________
>| Full-Disclosure - We believe in it.
>| Charter: http://lists.netsys.com/full-disclosure-charter.html
>|
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Powered by blists - more mailing lists