RE: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRISand SecureI

From: Lance Gusto (thegusto22_at_hotmail.com)
Date: 12/30/04

  • Next message: xyberpix: "Re: [Full-Disclosure] Again: zone transfers, a spammer's dream?"
    To: mmaiffret@eeye.com, thegusto22@hotmail.com, vuln-dev@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com, bugs@securitytracker.com, full-disclosure@lists.netsys.com, news-editor@securityfocus.com, press@net-security.org
    Date: Thu, 30 Dec 2004 03:00:33 +0000
    
    

    Hey Marky Mark and the Funky Bunch,

    I will make this short and sweet (I know you have some hair dying to
    perform).
    If you have no backdoors in your products then I guess you have nothing to
    worry about... :)

    I would have a real "debate" with you, but your clearly UNARMED. :)

    P.S:
    I have to say your products are (not) great, they *really* (un)secure
    networks.
    Your company is also the leading authority on (pseudo) security....
    Vulnerability
    is (not) over!.

    Personally I should say: "Lose the weight and you just might gain a clue."
    :)

    Squeeze through Mr. Marky Mark (CHO)

    >From: "Marc Maiffret" <mmaiffret@eeye.com>
    >To: "Lance Gusto" Date: Wed, 29 Dec 2004 17:33:11 -0800
    >
    >Hi Lance Gusto,
    >
    >It is really interesting that someone with such a disdain for my company
    >would go out of their way to spam out an email about a supposed backdoor
    >within our products, choose not to contact us ahead of time, and then
    >provide no real details to prove your claim... Ahhh but wait, you chose
    >not to provide any details because you're a "good guy". As you said:
    >"Unfortunately, we can't release the "exploits" publicly due to the
    >severity of these flaws." Right.
    >
    >The reason you could not provide any real details about these backdoors
    >are because there are no backdoors in Iris nor SecureIIS.
    >
    >While I would not wish to give someone like you the time of day nor 15
    >minutes of infamy, eEye does take every security claim very seriously.
    >We have performed an audit of SecureIIS and Iris code to re-verify what
    >we already knew, that there are no backdoors in either of them.
    >
    >It is quite possible that you downloaded fake warez versions of our
    >products from peer-to-peer networks which someone might have put there
    >to trick people and put backdoors on their systems. However, if such
    >warez product versions existed they would not be from eEye as we do not
    >distribute our software on peer-to-peer networks nor recommend people
    >downloading warez versions from there. Get your warez from a trusted
    >distributor. ;-) If you would have contacted us we could have saved you
    >the embarrassment... But then you are sending emails from Hotmail
    >through a proxy at a university in Germany so I seriously doubt you care
    >if your persona "Lance Gusto" gets embarrassed on public mailing lists.
    >
    >
    >These backdoors are as much of a reality as Santa Claus but then you
    >seem to be childish enough that you probably still believe in the jolly
    >red man. Maybe next you can follow-up your humors eMail with a spoofed
    >advisory about a backdoor you found in Rudolph "the red nosed reindeer".
    >At least then you could promote yourself from being a coward to a
    >comedian.
    >
    >Thank you, please drive through.
    >
    >Signed,
    >Marc Maiffret
    >Chief Hacking Officer
    >eEye Digital Security
    >T.949.349.9062
    >F.949.349.9538
    >http://eEye.com/Blink - End-Point Vulnerability Prevention
    >http://eEye.com/Retina - Network Security Scanner
    >http://eEye.com/Iris - Network Traffic Analyzer
    >http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    >
    >Important Notice: This email is confidential, may be legally privileged,
    >and is for the intended recipient only. Access, disclosure, copying,
    >distribution, or reliance on any of it by anyone else is prohibited and
    >may be a criminal offense. Please delete if obtained in error and email
    >confirmation to the sender. P.S. I'm going to tell you this for your own
    >benefit, your email was dope as hell especially since you faked 90
    >percent of it. What you need to do is practice on your freestyle before
    >you come up missing like triple m's police file.
    >
    >| -----Original Message-----
    >| From: full-disclosure-bounces@lists.netsys.com
    >| [mailto:full-disclosure-bounces@lists.netsys.com] On Behalf
    >| Of Lance Gusto
    >| Sent: Tuesday, December 28, 2004 8:12 PM
    >| To: vuln-dev@securityfocus.com;
    >| ntbugtraq@listserv.ntbugtraq.com; bugs@securitytracker.com;
    >| full-disclosure@lists.netsys.com;
    >| news-editor@securityfocus.com; press@net-security.org
    >| Subject: [Full-Disclosure] Multiple Backdoors found in eEye
    >| Products (IRISand SecureIIS)
    >|
    >| Multiple Backdoors found in eEye Products (IRIS and
    >| SecureIIS) L. Gusto <thegusto22@hotmail.com>
    >|
    >|
    >| Summary:
    >|
    >| During meticulous testing of both eEye's IRIS and SecureIIS
    >| products, we (my testing team) have discovered multiple
    >| backdoors in the latest of both mentioned products and some
    >| older versions we could acquire.
    >|
    >|
    >| These backdoors are very cleverly hidden (kudos to the
    >| authors), I personally don't condone illegally backdooring
    >| commercial products, and personally I don't think much of
    >| eEye but I must give credit to where credit is due.
    >|
    >|
    >| We have tested IRIS 3.7 and up they all appear to have a backdoor.
    >| We have verified the IRIS backdoor doesn't exist in versions
    >| prior to 3.0
    >|
    >|
    >| We have tested SecureIIS 2.0 and up they all appear to have a
    >| backdoor.
    >| We have verified that SecureIIS 1.x series does not have this
    >| specific backdoor.
    >|
    >| Bringing the backdoors to light:
    >|
    >| After long testing we discovered the exact sequences used to
    >| active the backdoor. Unfortunately, we can't release the
    >| "exploits" publically due to the severity of these flaws. But
    >| incomplete examples will be given.
    >|
    >|
    >|
    >| The IRIS Backdoor:
    >|
    >| This one is quite interesting. We have discovered that
    >| sending a specifically crafted UDP datagram to a IRIS host
    >| *directly* (not through the wire or to host on the network
    >| segment) with certain IP options set and a certain magic
    >| value at a undisclosed offset in the payload will bind a
    >| shell to the source port specified in the UDP datagram.
    >|
    >| [snip]
    >|
    >|
    >| The SecureIIS Backdoor:
    >|
    >| The SecureIIS backdoor was alot easier to discover but very
    >| well placed. The SecureIIS backdoor is triggered by a
    >| specifically crafted HTTP HEAD request. Here is a incomplete
    >| layout of how to exploit this:
    >|
    >|
    >| HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
    >|
    >| PORT - Will be the port to bind a shell.
    >| ADDRESS - Address for priority binding (0 - For any).
    >|
    >|
    >| [snip]
    >|
    >|
    >|
    >| Local Deduction:
    >|
    >| There are a two possiblilites here, either eEye's code has
    >| been altered by some attacker or this has been sanctioned by
    >| the company (or at least the developers were fully aware of this).
    >|
    >|
    >|
    >| Conclusion:
    >|
    >| It is very very shameful that a somewhat reputable like eEye
    >| is acting in a very childish, unprofessional manner. I figure
    >| that is why the code is closed source. There are several
    >| active exploits available that I (the author of this
    >| advisory) didn't create floating around. The only logical
    >| solution will be to not use the mentioned eEye products for
    >| the time being or at least downgrade to the non-backdoored versions.
    >|
    >| We will be investigation eEye's Blink Product for any
    >| clandestine backdoors.
    >|
    >| _________________________________________________________________
    >| FREE pop-up blocking with the new MSN Toolbar - get it now!
    >| http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
    >|
    >| _______________________________________________
    >| Full-Disclosure - We believe in it.
    >| Charter: http://lists.netsys.com/full-disclosure-charter.html
    >|

    _________________________________________________________________
    FREE pop-up blocking with the new MSN Toolbar get it now!
    http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: xyberpix: "Re: [Full-Disclosure] Again: zone transfers, a spammer's dream?"

    Relevant Pages