[Full-Disclosure] @(#)Mordred Labs security notice - exploring the honeypot(s) in the wild

From: Sir Mordred (mordred_at_s-mail.com)
Date: 05/10/03

  • Next message: nate: "RE: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability" 
    To: full-disclosure@lists.netsys.com
Date: Sat, 10 May 2003 06:54:41 +0000


    // @(#)Mordred Labs security notice 0x0003

    Name: Exploring the honeypot(s) in the wild
    Release date: May 10, 2003
    Author: Sir Mordred (mordred@s-mail.com)

    I. INTRODUCTION

    This is a second part of the security notice devoted to security companies.

    Then why its called "Exploring the honeypots in the wild"?
    Well, its simple, when i visited http://xfiw.iss.net and have read:

    <quote>
    As a normal course of their research, the ISS X-Forceā„¢ places servers on
    the Internet
    to monitor hacker activity, propagation of Internet worms and to serve as
    targets for attack.
    These servers are known as honeypots. In some cases, honeypots are
    purposely left insecure
    and mis-configured. Some honeypots are "visible" to the public via web
    servers and web pages
    that are placed on the servers. All of ISS honeypots are constantly
    monitored by the X-Force
    to better understand widely used hacking tools and techniques, but to also
    to identify new attack
    routines and vulnerabilities. Several X-Force personnel are members of the
    Honeynet Research Alliance.
    </quote>

    i laughed myself into fits and because of this nice quote i decided to
    devote the whole notice to ISS.
    After reading this notice you should clearly understand several important
    points:

    1) all of the ISS public servers are honeypots (i.e. serve as target for
    attack),
    which in all cases "purposely left insecure and mis-configured"

    2) not just several, but all of the X-Force personnel, including ISS tech
    personnel,
    including their admins/programmers are members of the Honeypost Research
    Alliance,
    so the notice should make you think twice before acquiring ISS service,
    because you probably
    dont want your system to be just another honeypot on the net.

    3) the notice will make to look some of the people as assholes, sorry for
    that.

    4) the notice will show how is the security audit looks like, web app audit
    in particular,
    so i expect many security expers and pen-testers will be highly suprised
    when
    they will hear that the security audit is not just
    nmaping/nessusing/whiskering the target system.

    5) it seems that some ISS web developers never heard about try { lame code
    here } catch(Throwable t) {} trick,
    maybe some Java tutorial like
    http://www.tutorialbooks.com/for_dummies_idiots_guides/subjects/java_tutoria

    l.htm would very be helpful ...
    wait, what? ... damn, i forgot that this is a honeypot! and it is
    "purposely left insecure and mis-configured"...

    As always, the format for vulnerabilities is:

    <number>) [hostname, the company name]
    quotes, comments (if exists)
    * ISSUE <number> - description of the vulnerability
    blank line
    comments (if exists)
    blank line
    the url to demonstrate this vulnerability
    blank line
    the error message (if exists)


    II. DETAILS

    [ www.iss.net, Internet Security Systems Inc. ]

    * ISSUE 1 - Multiple CSS vulnerabilities

    I will not describe all of the CSS (there are too many of them)
    vulnerabilities here, just one example.

    http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=">[JAVASCRIP
    T]<"

    * ISSUE 2 - Path disclosure in /issEn/delivery/eventdetails.jsp

    http://www.iss.net/issEn/delivery/eventdetails.jsp?BV_EngineID=ccccadchmgkkk
    jdcgencfhidglgdgij.0&oid=1

    Script /opt/bvvar/english/scripts/delivery/eventdetails.jsp failed, reason:
    cnt.get has no properties

    * ISSUE 3 - Path disclosure in /issEn/delivery/eventscalendar.jsp

    http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=EM'

    Script /opt/bvvar/english/scripts/delivery/eventscalendar.jsp failed,
    reason: eventlist has no properties

    * ISSUE 4 - SQL injection in /issEn/MYISS/EditInfo.jhtml

    https://www.iss.net/issEn/MYISS/EditInfo.jhtml?sid=s'

    Received an exception:
    Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
    properly terminated

    * ISSUE 5 - SQL injection in /issEn/DLC/evalForm.jhtml

    https://www.iss.net/issEn/DLC/evalForm.jhtml?sid=s'

    Received an exception:
    Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
    properly terminated

    ________________________________________________________________________
    This letter has been delivered unencrypted. We'd like to remind you that
    the full protection of e-mail correspondence is provided by S-mail
    encryption mechanisms if only both, Sender and Recipient use S-mail.
    Register at S-mail.com: http://www.s-mail.com
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: nate: "RE: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability"