Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and Secure

From: Lance Gusto (thegusto22_at_hotmail.com)
Date: 12/29/04

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:166 - Updated tetex packages fix multiple vulnerabilities" 
    To: dave@immunitysec.com, full-disclosure@lists.netsys.com
Date: Wed, 29 Dec 2004 21:03:02 +0000

    Hey Dave,

    I cannot disclosed much information (based on request/threats made by
    certain organizations
    whom may be involved) I am sure you can understand.

    But we have tested Iris versions 3.0 and up ... As I previously stated it
    doesn't appear to
    exist in the 2.x series of Iris.

    I am not the main tester involved here, but I was told that there is some
    sort of clandestine
    chaining mechanism to create the processes I believe. I will provide the
    "lists" I have sent this
    too with more information as soon as some of the other testers involved come
    back from their
    respective holiday breaks.

    >From: Dave Aitel <dave@immunitysec.com>
    >To: Lance Gusto <thegusto22@hotmail.com>
    >Subject: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products
    >(IRIS and SecureIIS)
    >Date: Wed, 29 Dec 2004 11:29:55 -0500
    >
    >
    >>
    >>
    >>The SecureIIS Backdoor:
    >>
    >>The SecureIIS backdoor was alot easier to discover but very well
    >>placed. The SecureIIS backdoor is triggered by a specifically
    >>crafted HTTP HEAD request. Here is a incomplete layout of how
    >>to exploit this:
    >>
    >
    >Which version did you test? I'm not seeing it, or any intermodular calls to
    >CreateProcess in the DLL that it loads up.
    >
    >-dave
    >
    >
    >>
    >>HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
    >>
    >>PORT - Will be the port to bind a shell.
    >>ADDRESS - Address for priority binding (0 - For any).
    >>
    >>
    >>[snip]
    >>
    >>
    >>
    >>Local Deduction:
    >>
    >>There are a two possiblilites here, either eEye's code has been
    >>altered by some attacker or this has been sanctioned by the
    >>company (or at least the developers were fully aware of this).
    >>
    >>
    >>
    >>Conclusion:
    >>
    >>It is very very shameful that a somewhat reputable like eEye is acting
    >>in a very childish, unprofessional manner. I figure that is why the
    >>code is closed source. There are several active exploits available that I
    >>(the author of this advisory) didn't create floating around. The only
    >>logical solution will be to not use the mentioned eEye products for the
    >>time being or at least downgrade to the non-backdoored versions.
    >>
    >>We will be investigation eEye's Blink Product for any clandestine
    >>backdoors.
    >>
    >>_________________________________________________________________
    >>FREE pop-up blocking with the new MSN Toolbar – get it now!
    >>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
    >>
    >>_______________________________________________
    >>Full-Disclosure - We believe in it.
    >>Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >

    _________________________________________________________________
    Don’t just search. Find. Check out the new MSN Search!
    http://search.msn.click-url.com/go/onm00200636ave/direct/01/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2004:166 - Updated tetex packages fix multiple vulnerabilities"