| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dave at immunitysec.com (Dave Aitel) Subject: Multiple Backdoors found in eEye Products (IRIS and Secure Well, for all who read this (and care) I tested a moderately old version of SecureIIS I have installed on some VM, and I didn't see any calls to CreateProcess anywhere in any of the eEye DLL's. Nor did I see any suspicious getprocaddr's/loadlibrarya's that would indicate a backdoor. For those who might try this little game, eEye's secureIIS is basically a http_filter module that loads into Inetinfo which takes requests and passes them off to a ncalrpc service (the event bus, as they'd call it). It's going to get the request about 3 times during the course of events. Of course, this sort of thing is basically impossible to disprove - especially without source. -dave Lance Gusto wrote: > > Hey Dave, > > > I cannot disclosed much information (based on request/threats made by > certain organizations > whom may be involved) I am sure you can understand. > > But we have tested Iris versions 3.0 and up ... As I previously stated > it doesn't appear to > exist in the 2.x series of Iris. > > I am not the main tester involved here, but I was told that there is > some sort of clandestine > chaining mechanism to create the processes I believe. I will provide > the "lists" I have sent this > too with more information as soon as some of the other testers > involved come back from their > respective holiday breaks. > > >> From: Dave Aitel <dave@...unitysec.com> >> To: Lance Gusto <thegusto22@...mail.com> >> Subject: Re: [Full-Disclosure] Multiple Backdoors found in eEye >> Products (IRIS and SecureIIS) >> Date: Wed, 29 Dec 2004 11:29:55 -0500 >> >> >>> >>> >>> The SecureIIS Backdoor: >>> >>> The SecureIIS backdoor was alot easier to discover but very well >>> placed. The SecureIIS backdoor is triggered by a specifically >>> crafted HTTP HEAD request. Here is a incomplete layout of how >>> to exploit this: >>> >> >> Which version did you test? I'm not seeing it, or any intermodular >> calls to CreateProcess in the DLL that it loads up. >> >> -dave >> >> >>> >>> HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1 >>> >>> PORT - Will be the port to bind a shell. >>> ADDRESS - Address for priority binding (0 - For any). >>> >>> >>> [snip] >>> >>> >>> >>> Local Deduction: >>> >>> There are a two possiblilites here, either eEye's code has been >>> altered by some attacker or this has been sanctioned by the >>> company (or at least the developers were fully aware of this). >>> >>> >>> >>> Conclusion: >>> >>> It is very very shameful that a somewhat reputable like eEye is acting >>> in a very childish, unprofessional manner. I figure that is why the >>> code is closed source. There are several active exploits available >>> that I >>> (the author of this advisory) didn't create floating around. The only >>> logical solution will be to not use the mentioned eEye products for the >>> time being or at least downgrade to the non-backdoored versions. >>> >>> We will be investigation eEye's Blink Product for any clandestine >>> backdoors. >>> >>> _________________________________________________________________ >>> FREE pop-up blocking with the new MSN Toolbar ? get it now! >>> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.netsys.com/full-disclosure-charter.html >> >> >> > > _________________________________________________________________ > Don?t just search. Find. Check out the new MSN Search! > http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists