[<prev] [next>] [day] [month] [year] [list]
Message-ID: <19F34051C5BB60429ACD1BF01338C598E9A975@av-mail01.corp.int-eeye.com>
From: mmaiffret at eeye.com (Marc Maiffret)
Subject: Multiple Backdoors found in eEye Products
(IRISand SecureIIS)
Hi Lance Gusto,
It is really interesting that someone with such a disdain for my company
would go out of their way to spam out an email about a supposed backdoor
within our products, choose not to contact us ahead of time, and then
provide no real details to prove your claim... Ahhh but wait, you chose
not to provide any details because you're a "good guy". As you said:
"Unfortunately, we can't release the "exploits" publicly due to the
severity of these flaws." Right.
The reason you could not provide any real details about these backdoors
are because there are no backdoors in Iris nor SecureIIS.
While I would not wish to give someone like you the time of day nor 15
minutes of infamy, eEye does take every security claim very seriously.
We have performed an audit of SecureIIS and Iris code to re-verify what
we already knew, that there are no backdoors in either of them.
It is quite possible that you downloaded fake warez versions of our
products from peer-to-peer networks which someone might have put there
to trick people and put backdoors on their systems. However, if such
warez product versions existed they would not be from eEye as we do not
distribute our software on peer-to-peer networks nor recommend people
downloading warez versions from there. Get your warez from a trusted
distributor. ;-) If you would have contacted us we could have saved you
the embarrassment... But then you are sending emails from Hotmail
through a proxy at a university in Germany so I seriously doubt you care
if your persona "Lance Gusto" gets embarrassed on public mailing lists.
These backdoors are as much of a reality as Santa Claus but then you
seem to be childish enough that you probably still believe in the jolly
red man. Maybe next you can follow-up your humors eMail with a spoofed
advisory about a backdoor you found in Rudolph "the red nosed reindeer".
At least then you could promote yourself from being a coward to a
comedian.
Thank you, please drive through.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
Important Notice: This email is confidential, may be legally privileged,
and is for the intended recipient only. Access, disclosure, copying,
distribution, or reliance on any of it by anyone else is prohibited and
may be a criminal offense. Please delete if obtained in error and email
confirmation to the sender. P.S. I'm going to tell you this for your own
benefit, your email was dope as hell especially since you faked 90
percent of it. What you need to do is practice on your freestyle before
you come up missing like triple m's police file.
| -----Original Message-----
| From: full-disclosure-bounces@...ts.netsys.com
| [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf
| Of Lance Gusto
| Sent: Tuesday, December 28, 2004 8:12 PM
| To: vuln-dev@...urityfocus.com;
| ntbugtraq@...tserv.ntbugtraq.com; bugs@...uritytracker.com;
| full-disclosure@...ts.netsys.com;
| news-editor@...urityfocus.com; press@...-security.org
| Subject: [Full-Disclosure] Multiple Backdoors found in eEye
| Products (IRISand SecureIIS)
|
| Multiple Backdoors found in eEye Products (IRIS and
| SecureIIS) L. Gusto <thegusto22@...mail.com>
|
|
| Summary:
|
| During meticulous testing of both eEye's IRIS and SecureIIS
| products, we (my testing team) have discovered multiple
| backdoors in the latest of both mentioned products and some
| older versions we could acquire.
|
|
| These backdoors are very cleverly hidden (kudos to the
| authors), I personally don't condone illegally backdooring
| commercial products, and personally I don't think much of
| eEye but I must give credit to where credit is due.
|
|
| We have tested IRIS 3.7 and up they all appear to have a backdoor.
| We have verified the IRIS backdoor doesn't exist in versions
| prior to 3.0
|
|
| We have tested SecureIIS 2.0 and up they all appear to have a
| backdoor.
| We have verified that SecureIIS 1.x series does not have this
| specific backdoor.
|
| Bringing the backdoors to light:
|
| After long testing we discovered the exact sequences used to
| active the backdoor. Unfortunately, we can't release the
| "exploits" publically due to the severity of these flaws. But
| incomplete examples will be given.
|
|
|
| The IRIS Backdoor:
|
| This one is quite interesting. We have discovered that
| sending a specifically crafted UDP datagram to a IRIS host
| *directly* (not through the wire or to host on the network
| segment) with certain IP options set and a certain magic
| value at a undisclosed offset in the payload will bind a
| shell to the source port specified in the UDP datagram.
|
| [snip]
|
|
| The SecureIIS Backdoor:
|
| The SecureIIS backdoor was alot easier to discover but very
| well placed. The SecureIIS backdoor is triggered by a
| specifically crafted HTTP HEAD request. Here is a incomplete
| layout of how to exploit this:
|
|
| HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
|
| PORT - Will be the port to bind a shell.
| ADDRESS - Address for priority binding (0 - For any).
|
|
| [snip]
|
|
|
| Local Deduction:
|
| There are a two possiblilites here, either eEye's code has
| been altered by some attacker or this has been sanctioned by
| the company (or at least the developers were fully aware of this).
|
|
|
| Conclusion:
|
| It is very very shameful that a somewhat reputable like eEye
| is acting in a very childish, unprofessional manner. I figure
| that is why the code is closed source. There are several
| active exploits available that I (the author of this
| advisory) didn't create floating around. The only logical
| solution will be to not use the mentioned eEye products for
| the time being or at least downgrade to the non-backdoored versions.
|
| We will be investigation eEye's Blink Product for any
| clandestine backdoors.
|
| _________________________________________________________________
| FREE pop-up blocking with the new MSN Toolbar - get it now!
| http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
|
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|
Powered by blists - more mailing lists