| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <343561e904123107561088f557@mail.gmail.com> From: abaker at gmail.com (ASB) Subject: Multiple Backdoors found in eEye Products (IRISand SecureI Thanks, Lancelot, for proving that you have absolutely nothing worthy to reporting. . -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Thu, 30 Dec 2004 03:00:33 +0000, Lance Gusto <thegusto22@...mail.com> wrote: > > Hey Marky Mark and the Funky Bunch, > > I will make this short and sweet (I know you have some hair dying to > perform). > If you have no backdoors in your products then I guess you have nothing to > worry about... :) > > I would have a real "debate" with you, but your clearly UNARMED. :) > > P.S: > I have to say your products are (not) great, they *really* (un)secure > networks. > Your company is also the leading authority on (pseudo) security.... > Vulnerability > is (not) over!. > > Personally I should say: "Lose the weight and you just might gain a clue." > :) > > Squeeze through Mr. Marky Mark (CHO) > > >From: "Marc Maiffret" <mmaiffret@...e.com> > >To: "Lance Gusto" Date: Wed, 29 Dec 2004 17:33:11 -0800 > > > >Hi Lance Gusto, > > > >It is really interesting that someone with such a disdain for my company > >would go out of their way to spam out an email about a supposed backdoor > >within our products, choose not to contact us ahead of time, and then > >provide no real details to prove your claim... Ahhh but wait, you chose > >not to provide any details because you're a "good guy". As you said: > >"Unfortunately, we can't release the "exploits" publicly due to the > >severity of these flaws." Right. > > > >The reason you could not provide any real details about these backdoors > >are because there are no backdoors in Iris nor SecureIIS. > > > >While I would not wish to give someone like you the time of day nor 15 > >minutes of infamy, eEye does take every security claim very seriously. > >We have performed an audit of SecureIIS and Iris code to re-verify what > >we already knew, that there are no backdoors in either of them. > > > >It is quite possible that you downloaded fake warez versions of our > >products from peer-to-peer networks which someone might have put there > >to trick people and put backdoors on their systems. However, if such > >warez product versions existed they would not be from eEye as we do not > >distribute our software on peer-to-peer networks nor recommend people > >downloading warez versions from there. Get your warez from a trusted > >distributor. ;-) If you would have contacted us we could have saved you > >the embarrassment... But then you are sending emails from Hotmail > >through a proxy at a university in Germany so I seriously doubt you care > >if your persona "Lance Gusto" gets embarrassed on public mailing lists. > > > > > >These backdoors are as much of a reality as Santa Claus but then you > >seem to be childish enough that you probably still believe in the jolly > >red man. Maybe next you can follow-up your humors eMail with a spoofed > >advisory about a backdoor you found in Rudolph "the red nosed reindeer". > >At least then you could promote yourself from being a coward to a > >comedian. > > > >Thank you, please drive through. > > > >Signed, > >Marc Maiffret > >Chief Hacking Officer > >eEye Digital Security > >T.949.349.9062 > >F.949.349.9538 > >http://eEye.com/Blink - End-Point Vulnerability Prevention > >http://eEye.com/Retina - Network Security Scanner > >http://eEye.com/Iris - Network Traffic Analyzer > >http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities > > > >Important Notice: This email is confidential, may be legally privileged, > >and is for the intended recipient only. Access, disclosure, copying, > >distribution, or reliance on any of it by anyone else is prohibited and > >may be a criminal offense. Please delete if obtained in error and email > >confirmation to the sender. P.S. I'm going to tell you this for your own > >benefit, your email was dope as hell especially since you faked 90 > >percent of it. What you need to do is practice on your freestyle before > >you come up missing like triple m's police file. > > > >| -----Original Message----- > >| From: full-disclosure-bounces@...ts.netsys.com > >| [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf > >| Of Lance Gusto > >| Sent: Tuesday, December 28, 2004 8:12 PM > >| To: vuln-dev@...urityfocus.com; > >| ntbugtraq@...tserv.ntbugtraq.com; bugs@...uritytracker.com; > >| full-disclosure@...ts.netsys.com; > >| news-editor@...urityfocus.com; press@...-security.org > >| Subject: [Full-Disclosure] Multiple Backdoors found in eEye > >| Products (IRISand SecureIIS) > >| > >| Multiple Backdoors found in eEye Products (IRIS and > >| SecureIIS) L. Gusto <thegusto22@...mail.com> > >| > >| > >| Summary: > >| > >| During meticulous testing of both eEye's IRIS and SecureIIS > >| products, we (my testing team) have discovered multiple > >| backdoors in the latest of both mentioned products and some > >| older versions we could acquire. > >| > >| > >| These backdoors are very cleverly hidden (kudos to the > >| authors), I personally don't condone illegally backdooring > >| commercial products, and personally I don't think much of > >| eEye but I must give credit to where credit is due. > >| > >| > >| We have tested IRIS 3.7 and up they all appear to have a backdoor. > >| We have verified the IRIS backdoor doesn't exist in versions > >| prior to 3.0 > >| > >| > >| We have tested SecureIIS 2.0 and up they all appear to have a > >| backdoor. > >| We have verified that SecureIIS 1.x series does not have this > >| specific backdoor. > >| > >| Bringing the backdoors to light: > >| > >| After long testing we discovered the exact sequences used to > >| active the backdoor. Unfortunately, we can't release the > >| "exploits" publically due to the severity of these flaws. But > >| incomplete examples will be given. > >| > >| > >| > >| The IRIS Backdoor: > >| > >| This one is quite interesting. We have discovered that > >| sending a specifically crafted UDP datagram to a IRIS host > >| *directly* (not through the wire or to host on the network > >| segment) with certain IP options set and a certain magic > >| value at a undisclosed offset in the payload will bind a > >| shell to the source port specified in the UDP datagram. > >| > >| [snip] > >| > >| > >| The SecureIIS Backdoor: > >| > >| The SecureIIS backdoor was alot easier to discover but very > >| well placed. The SecureIIS backdoor is triggered by a > >| specifically crafted HTTP HEAD request. Here is a incomplete > >| layout of how to exploit this: > >| > >| > >| HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1 > >| > >| PORT - Will be the port to bind a shell. > >| ADDRESS - Address for priority binding (0 - For any). > >| > >| > >| [snip] > >| > >| > >| > >| Local Deduction: > >| > >| There are a two possiblilites here, either eEye's code has > >| been altered by some attacker or this has been sanctioned by > >| the company (or at least the developers were fully aware of this). > >| > >| > >| > >| Conclusion: > >| > >| It is very very shameful that a somewhat reputable like eEye > >| is acting in a very childish, unprofessional manner. I figure > >| that is why the code is closed source. There are several > >| active exploits available that I (the author of this > >| advisory) didn't create floating around. The only logical > >| solution will be to not use the mentioned eEye products for > >| the time being or at least downgrade to the non-backdoored versions. > >| > >| We will be investigation eEye's Blink Product for any > >| clandestine backdoors.
Powered by blists - more mailing lists