| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY2-F3033C6EE6D0F7EEA11A23DCC9C0@phx.gbl> From: thegusto22 at hotmail.com (Lance Gusto) Subject: Multiple Backdoors found in eEye Products (IRISand SecureI Hey Marky Mark and the Funky Bunch, I will make this short and sweet (I know you have some hair dying to perform). If you have no backdoors in your products then I guess you have nothing to worry about... :) I would have a real "debate" with you, but your clearly UNARMED. :) P.S: I have to say your products are (not) great, they *really* (un)secure networks. Your company is also the leading authority on (pseudo) security.... Vulnerability is (not) over!. Personally I should say: "Lose the weight and you just might gain a clue." :) Squeeze through Mr. Marky Mark (CHO) >From: "Marc Maiffret" <mmaiffret@...e.com> >To: "Lance Gusto" Date: Wed, 29 Dec 2004 17:33:11 -0800 > >Hi Lance Gusto, > >It is really interesting that someone with such a disdain for my company >would go out of their way to spam out an email about a supposed backdoor >within our products, choose not to contact us ahead of time, and then >provide no real details to prove your claim... Ahhh but wait, you chose >not to provide any details because you're a "good guy". As you said: >"Unfortunately, we can't release the "exploits" publicly due to the >severity of these flaws." Right. > >The reason you could not provide any real details about these backdoors >are because there are no backdoors in Iris nor SecureIIS. > >While I would not wish to give someone like you the time of day nor 15 >minutes of infamy, eEye does take every security claim very seriously. >We have performed an audit of SecureIIS and Iris code to re-verify what >we already knew, that there are no backdoors in either of them. > >It is quite possible that you downloaded fake warez versions of our >products from peer-to-peer networks which someone might have put there >to trick people and put backdoors on their systems. However, if such >warez product versions existed they would not be from eEye as we do not >distribute our software on peer-to-peer networks nor recommend people >downloading warez versions from there. Get your warez from a trusted >distributor. ;-) If you would have contacted us we could have saved you >the embarrassment... But then you are sending emails from Hotmail >through a proxy at a university in Germany so I seriously doubt you care >if your persona "Lance Gusto" gets embarrassed on public mailing lists. > > >These backdoors are as much of a reality as Santa Claus but then you >seem to be childish enough that you probably still believe in the jolly >red man. Maybe next you can follow-up your humors eMail with a spoofed >advisory about a backdoor you found in Rudolph "the red nosed reindeer". >At least then you could promote yourself from being a coward to a >comedian. > >Thank you, please drive through. > >Signed, >Marc Maiffret >Chief Hacking Officer >eEye Digital Security >T.949.349.9062 >F.949.349.9538 >http://eEye.com/Blink - End-Point Vulnerability Prevention >http://eEye.com/Retina - Network Security Scanner >http://eEye.com/Iris - Network Traffic Analyzer >http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities > >Important Notice: This email is confidential, may be legally privileged, >and is for the intended recipient only. Access, disclosure, copying, >distribution, or reliance on any of it by anyone else is prohibited and >may be a criminal offense. Please delete if obtained in error and email >confirmation to the sender. P.S. I'm going to tell you this for your own >benefit, your email was dope as hell especially since you faked 90 >percent of it. What you need to do is practice on your freestyle before >you come up missing like triple m's police file. > >| -----Original Message----- >| From: full-disclosure-bounces@...ts.netsys.com >| [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf >| Of Lance Gusto >| Sent: Tuesday, December 28, 2004 8:12 PM >| To: vuln-dev@...urityfocus.com; >| ntbugtraq@...tserv.ntbugtraq.com; bugs@...uritytracker.com; >| full-disclosure@...ts.netsys.com; >| news-editor@...urityfocus.com; press@...-security.org >| Subject: [Full-Disclosure] Multiple Backdoors found in eEye >| Products (IRISand SecureIIS) >| >| Multiple Backdoors found in eEye Products (IRIS and >| SecureIIS) L. Gusto <thegusto22@...mail.com> >| >| >| Summary: >| >| During meticulous testing of both eEye's IRIS and SecureIIS >| products, we (my testing team) have discovered multiple >| backdoors in the latest of both mentioned products and some >| older versions we could acquire. >| >| >| These backdoors are very cleverly hidden (kudos to the >| authors), I personally don't condone illegally backdooring >| commercial products, and personally I don't think much of >| eEye but I must give credit to where credit is due. >| >| >| We have tested IRIS 3.7 and up they all appear to have a backdoor. >| We have verified the IRIS backdoor doesn't exist in versions >| prior to 3.0 >| >| >| We have tested SecureIIS 2.0 and up they all appear to have a >| backdoor. >| We have verified that SecureIIS 1.x series does not have this >| specific backdoor. >| >| Bringing the backdoors to light: >| >| After long testing we discovered the exact sequences used to >| active the backdoor. Unfortunately, we can't release the >| "exploits" publically due to the severity of these flaws. But >| incomplete examples will be given. >| >| >| >| The IRIS Backdoor: >| >| This one is quite interesting. We have discovered that >| sending a specifically crafted UDP datagram to a IRIS host >| *directly* (not through the wire or to host on the network >| segment) with certain IP options set and a certain magic >| value at a undisclosed offset in the payload will bind a >| shell to the source port specified in the UDP datagram. >| >| [snip] >| >| >| The SecureIIS Backdoor: >| >| The SecureIIS backdoor was alot easier to discover but very >| well placed. The SecureIIS backdoor is triggered by a >| specifically crafted HTTP HEAD request. Here is a incomplete >| layout of how to exploit this: >| >| >| HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1 >| >| PORT - Will be the port to bind a shell. >| ADDRESS - Address for priority binding (0 - For any). >| >| >| [snip] >| >| >| >| Local Deduction: >| >| There are a two possiblilites here, either eEye's code has >| been altered by some attacker or this has been sanctioned by >| the company (or at least the developers were fully aware of this). >| >| >| >| Conclusion: >| >| It is very very shameful that a somewhat reputable like eEye >| is acting in a very childish, unprofessional manner. I figure >| that is why the code is closed source. There are several >| active exploits available that I (the author of this >| advisory) didn't create floating around. The only logical >| solution will be to not use the mentioned eEye products for >| the time being or at least downgrade to the non-backdoored versions. >| >| We will be investigation eEye's Blink Product for any >| clandestine backdoors. >| >| _________________________________________________________________ >| FREE pop-up blocking with the new MSN Toolbar - get it now! >| http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ >| >| _______________________________________________ >| Full-Disclosure - We believe in it. >| Charter: http://lists.netsys.com/full-disclosure-charter.html >| _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar – get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Powered by blists - more mailing lists