lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b7a807650810310717x73ab7d59sf9ffb496b3fb2799@mail.gmail.com>
Date: Fri, 31 Oct 2008 14:17:04 +0000
From: "Adrian P" <unknown.pentester@...il.com>
To: Fionnbharr <thouth@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Universal Website Hijacking by Exploiting
	Firewall Content Filtering Features + SonicWALL firewalls 0day

Hello Fionnbharr,

Please see my response to your comments in-line.

On Fri, Oct 31, 2008 at 8:31 AM, Fionnbharr <thouth@...il.com> wrote:
> This isn't new. It isn't even a technique.
>
> http://www.bluecoat.com/support/securityadvisories/icap_patience
>
> A very recent example of this kind of vulnerability. My god you
> gnucitizen people are retarded. At least you didn't give it a
> ridiculous name like 'clickjacking'. Can you GNUtards please keep your
> 'research' into subjects people already know to yourself or at least
> not post it the lists, then at least I won't have to see it.

That Bluecoat advisory was released on 29 September 2008. What makes
you think that I did not discover the SonicWALL vulnerability/vector
and reported it to ZDI *way before* that date? Well, FYI I reported it
to ZDI in June 2008 and discovered it even before.

At least, you should consider the possibility of the attack vector
being discovered by two researchers concurrently. It can take quite a
few months before the vendor provides a patch, not to mention that
SonicWALL was VERY slow to confirm the vulnerability.

Don't you know that responsible disclosure means that the details of a
vulnerability can be held for quite a while before being released to
the public? Since when the publishing date of an advisory is equal to
discovery date?

Furthermore, it appears that Bluecoat only released their advisory
*after* the researcher jplopezy made his advisory public, which could
suggest that he did NOT inform the vendor before releasing the
details:

http://www.securityfocus.com/archive/1/496940/30/0/threaded

It's also interesting that the researcher released the advisory
(bugtraq post) one day *after* I published the general description of
the attack:

June 25th, 2008.
ZDI forwards my findings to SonicWALL (see "Disclosure Timeline"):
http://www.zerodayinitiative.com/advisories/ZDI-08-070/

September 20th, 2008.
I publish the general description of the attack:
http://www.gnucitizen.org/blog/new-technique-to-perform-universal-website-hijacking/

September 21th, 2008.
Researcher jplopezy finds the same attack vector on BlueCoat's web filter:
http://www.securityfocus.com/archive/1/496577/30/0/threaded

Notice jplopezy published the bugtraq post *one day after* I published
the general attack description on GNUCITIZEN. Interesting?

Please do your homework before many any accusations.

>
> Also "Malaysia: Cracking into Embedded Devices and Beyond!", who the
> fuck uses the word 'cracking' instead of 'hacking' in 2008? Sure for
> cracking passwords, but wow.

Can't you accept the idea some some of us still consider hacking and
breaking into a system not necessarily the same thing?

Regards,
ap.

>
> 2008/10/31 Adrian P <unknown.pentester@...il.com>:
>> Hello folks,
>>
>> Yesterday, I presented for the first time [1] a new method to perform
>> universal website hijacking by exploiting content filtering features
>> commonly supported by corporate firewalls. I briefly discussed [2] the
>> finding on GNUCITIZEN in the past without giving away the details, but
>> rather mentioning what the attacker can do and some characteristics of
>> the attack.
>>
>> Anyway, I'm now releasing full details on how the technique works, and
>> a real 0day example against SonicWALL firewalls.
>>
>> The paper can be found on the GNUCITIZEN labs site. Please let me know
>> if you can successfully use the same technique against firewalls by
>> other vendors:
>>
>> http://sites.google.com/a/gnucitizen.org/lab/research-papers
>>
>> Finally, I'd like to thank Zero Day Initiative [3] for their great
>> work and the Hack in the Box crew for organizing such a fine event!
>>
>> Regards,
>> ap.
>>
>> REFERENCES
>>
>> [1] "HITBSecConf2008 - Malaysia: Cracking into Embedded Devices and Beyond!"
>> http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=186
>>
>> [2] "New technique to perform universal website hijacking"
>> http://www.gnucitizen.org/blog/new-technique-to-perform-universal-website-hijacking/
>>
>> [3] "SonicWALL Content-Filtering Universal Script Injection Vulnerability"
>> http://www.zerodayinitiative.com/advisories/ZDI-08-070/
>>
>> --
>> Adrian "pagvac" Pastor | GNUCITIZEN
>> gnucitizen.org
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ