lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: abaker at gmail.com (ASB)
Subject: Multiple Backdoors found in eEye Products
	(IRISand SecureI

Thanks, Lancelot, for proving that you have absolutely nothing worthy
to reporting.

.
-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On Thu, 30 Dec 2004 03:00:33 +0000, Lance Gusto <thegusto22@...mail.com> wrote:
> 
> Hey Marky Mark and the Funky Bunch,
> 
> I will make this short and sweet (I know you have some hair dying to
> perform).
> If you have no backdoors in your products then I guess you have nothing to
> worry about... :)
> 
> I would have a real "debate" with you, but your clearly UNARMED. :)
> 
> P.S:
> I have to say your products are (not) great, they *really* (un)secure
> networks.
> Your company is also the leading authority on (pseudo) security....
> Vulnerability
> is (not) over!.
> 
> Personally I should say: "Lose the weight and you just might gain a clue."
> :)
> 
> Squeeze through Mr. Marky Mark (CHO)
> 
> >From: "Marc Maiffret" <mmaiffret@...e.com>
> >To: "Lance Gusto" Date: Wed, 29 Dec 2004 17:33:11 -0800
> >
> >Hi Lance Gusto,
> >
> >It is really interesting that someone with such a disdain for my company
> >would go out of their way to spam out an email about a supposed backdoor
> >within our products, choose not to contact us ahead of time, and then
> >provide no real details to prove your claim... Ahhh but wait, you chose
> >not to provide any details because you're a "good guy". As you said:
> >"Unfortunately, we can't release the "exploits" publicly due to the
> >severity of these flaws." Right.
> >
> >The reason you could not provide any real details about these backdoors
> >are because there are no backdoors in Iris nor SecureIIS.
> >
> >While I would not wish to give someone like you the time of day nor 15
> >minutes of infamy, eEye does take every security claim very seriously.
> >We have performed an audit of SecureIIS and Iris code to re-verify what
> >we already knew, that there are no backdoors in either of them.
> >
> >It is quite possible that you downloaded fake warez versions of our
> >products from peer-to-peer networks which someone might have put there
> >to trick people and put backdoors on their systems. However, if such
> >warez product versions existed they would not be from eEye as we do not
> >distribute our software on peer-to-peer networks nor recommend people
> >downloading warez versions from there.  Get your warez from a trusted
> >distributor. ;-) If you would have contacted us we could have saved you
> >the embarrassment... But then you are sending emails from Hotmail
> >through a proxy at a university in Germany so I seriously doubt you care
> >if your persona "Lance Gusto" gets embarrassed on public mailing lists.
> >
> >
> >These backdoors are as much of a reality as Santa Claus but then you
> >seem to be childish enough that you probably still believe in the jolly
> >red man. Maybe next you can follow-up your humors eMail with a spoofed
> >advisory about a backdoor you found in Rudolph "the red nosed reindeer".
> >At least then you could promote yourself from being a coward to a
> >comedian.
> >
> >Thank you, please drive through.
> >
> >Signed,
> >Marc Maiffret
> >Chief Hacking Officer
> >eEye Digital Security
> >T.949.349.9062
> >F.949.349.9538
> >http://eEye.com/Blink - End-Point Vulnerability Prevention
> >http://eEye.com/Retina - Network Security Scanner
> >http://eEye.com/Iris - Network Traffic Analyzer
> >http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
> >
> >Important Notice: This email is confidential, may be legally privileged,
> >and is for the intended recipient only. Access, disclosure, copying,
> >distribution, or reliance on any of it by anyone else is prohibited and
> >may be a criminal offense.  Please delete if obtained in error and email
> >confirmation to the sender. P.S. I'm going to tell you this for your own
> >benefit, your email was dope as hell especially since you faked 90
> >percent of it. What you need to do is practice on your freestyle before
> >you come up missing like triple m's police file.
> >
> >| -----Original Message-----
> >| From: full-disclosure-bounces@...ts.netsys.com
> >| [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf
> >| Of Lance Gusto
> >| Sent: Tuesday, December 28, 2004 8:12 PM
> >| To: vuln-dev@...urityfocus.com;
> >| ntbugtraq@...tserv.ntbugtraq.com; bugs@...uritytracker.com;
> >| full-disclosure@...ts.netsys.com;
> >| news-editor@...urityfocus.com; press@...-security.org
> >| Subject: [Full-Disclosure] Multiple Backdoors found in eEye
> >| Products (IRISand SecureIIS)
> >|
> >| Multiple Backdoors found in eEye Products (IRIS and
> >| SecureIIS) L. Gusto <thegusto22@...mail.com>
> >|
> >|
> >| Summary:
> >|
> >| During meticulous testing of both eEye's IRIS and SecureIIS
> >| products, we (my testing team) have discovered multiple
> >| backdoors in the latest of both mentioned products and some
> >| older versions we could acquire.
> >|
> >|
> >| These backdoors are very cleverly hidden (kudos to the
> >| authors), I personally don't condone illegally backdooring
> >| commercial products, and personally I don't think much of
> >| eEye but I must give credit to where credit is due.
> >|
> >|
> >| We have tested IRIS 3.7 and up they all appear to have a backdoor.
> >| We have verified the IRIS backdoor doesn't exist in versions
> >| prior to 3.0
> >|
> >|
> >| We have tested SecureIIS 2.0 and up they all appear to have a
> >| backdoor.
> >| We have verified that SecureIIS 1.x series does not have this
> >| specific backdoor.
> >|
> >| Bringing the backdoors to light:
> >|
> >| After long testing we discovered the exact sequences used to
> >| active the backdoor. Unfortunately, we can't release the
> >| "exploits" publically due to the severity of these flaws. But
> >| incomplete examples will be given.
> >|
> >|
> >|
> >| The IRIS Backdoor:
> >|
> >| This one is quite interesting. We have discovered that
> >| sending a specifically crafted UDP datagram to a IRIS host
> >| *directly* (not through the wire or to host on the network
> >| segment) with certain IP options set and a certain magic
> >| value at a undisclosed offset in the payload will bind a
> >| shell to the source port specified in the UDP datagram.
> >|
> >| [snip]
> >|
> >|
> >| The SecureIIS Backdoor:
> >|
> >| The SecureIIS backdoor was alot easier to discover but very
> >| well placed. The SecureIIS backdoor is triggered by a
> >| specifically crafted HTTP HEAD request. Here is a incomplete
> >| layout of how to exploit this:
> >|
> >|
> >| HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
> >|
> >| PORT                 - Will be the port to bind a shell.
> >| ADDRESS              - Address for priority binding (0 - For any).
> >|
> >|
> >| [snip]
> >|
> >|
> >|
> >| Local Deduction:
> >|
> >| There are a two possiblilites here, either eEye's code has
> >| been altered by some attacker or this has been sanctioned by
> >| the company (or at least the developers were fully aware of this).
> >|
> >|
> >|
> >| Conclusion:
> >|
> >| It is very very shameful that a somewhat reputable like eEye
> >| is acting in a very childish, unprofessional manner. I figure
> >| that is why the code is closed source. There are several
> >| active exploits available that I (the author of this
> >| advisory) didn't create floating around. The only logical
> >| solution will be to not use the mentioned eEye products for
> >| the time being or at least downgrade to the non-backdoored versions.
> >|
> >| We will be investigation eEye's Blink Product for any
> >| clandestine backdoors.

Powered by blists - more mailing lists