RE: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRISand SecureI
From: Lance Gusto (thegusto22_at_hotmail.com)
To: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org Date: Thu, 30 Dec 2004 03:00:33 +0000
Hey Marky Mark and the Funky Bunch,
I will make this short and sweet (I know you have some hair dying to
If you have no backdoors in your products then I guess you have nothing to
worry about... :)
I would have a real "debate" with you, but your clearly UNARMED. :)
I have to say your products are (not) great, they *really* (un)secure
Your company is also the leading authority on (pseudo) security....
is (not) over!.
Personally I should say: "Lose the weight and you just might gain a clue."
Squeeze through Mr. Marky Mark (CHO)
>From: "Marc Maiffret" <email@example.com>
>To: "Lance Gusto" Date: Wed, 29 Dec 2004 17:33:11 -0800
>Hi Lance Gusto,
>It is really interesting that someone with such a disdain for my company
>would go out of their way to spam out an email about a supposed backdoor
>within our products, choose not to contact us ahead of time, and then
>provide no real details to prove your claim... Ahhh but wait, you chose
>not to provide any details because you're a "good guy". As you said:
>"Unfortunately, we can't release the "exploits" publicly due to the
>severity of these flaws." Right.
>The reason you could not provide any real details about these backdoors
>are because there are no backdoors in Iris nor SecureIIS.
>While I would not wish to give someone like you the time of day nor 15
>minutes of infamy, eEye does take every security claim very seriously.
>We have performed an audit of SecureIIS and Iris code to re-verify what
>we already knew, that there are no backdoors in either of them.
>It is quite possible that you downloaded fake warez versions of our
>products from peer-to-peer networks which someone might have put there
>to trick people and put backdoors on their systems. However, if such
>warez product versions existed they would not be from eEye as we do not
>distribute our software on peer-to-peer networks nor recommend people
>downloading warez versions from there. Get your warez from a trusted
>distributor. ;-) If you would have contacted us we could have saved you
>the embarrassment... But then you are sending emails from Hotmail
>through a proxy at a university in Germany so I seriously doubt you care
>if your persona "Lance Gusto" gets embarrassed on public mailing lists.
>These backdoors are as much of a reality as Santa Claus but then you
>seem to be childish enough that you probably still believe in the jolly
>red man. Maybe next you can follow-up your humors eMail with a spoofed
>advisory about a backdoor you found in Rudolph "the red nosed reindeer".
>At least then you could promote yourself from being a coward to a
>Thank you, please drive through.
>Chief Hacking Officer
>eEye Digital Security
>http://eEye.com/Blink - End-Point Vulnerability Prevention
>http://eEye.com/Retina - Network Security Scanner
>http://eEye.com/Iris - Network Traffic Analyzer
>http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
>Important Notice: This email is confidential, may be legally privileged,
>and is for the intended recipient only. Access, disclosure, copying,
>distribution, or reliance on any of it by anyone else is prohibited and
>may be a criminal offense. Please delete if obtained in error and email
>confirmation to the sender. P.S. I'm going to tell you this for your own
>benefit, your email was dope as hell especially since you faked 90
>percent of it. What you need to do is practice on your freestyle before
>you come up missing like triple m's police file.
>| -----Original Message-----
>| From: firstname.lastname@example.org
>| [mailto:email@example.com] On Behalf
>| Of Lance Gusto
>| Sent: Tuesday, December 28, 2004 8:12 PM
>| To: firstname.lastname@example.org;
>| email@example.com; firstname.lastname@example.org;
>| email@example.com; firstname.lastname@example.org
>| Subject: [Full-Disclosure] Multiple Backdoors found in eEye
>| Products (IRISand SecureIIS)
>| Multiple Backdoors found in eEye Products (IRIS and
>| SecureIIS) L. Gusto <email@example.com>
>| During meticulous testing of both eEye's IRIS and SecureIIS
>| products, we (my testing team) have discovered multiple
>| backdoors in the latest of both mentioned products and some
>| older versions we could acquire.
>| These backdoors are very cleverly hidden (kudos to the
>| authors), I personally don't condone illegally backdooring
>| commercial products, and personally I don't think much of
>| eEye but I must give credit to where credit is due.
>| We have tested IRIS 3.7 and up they all appear to have a backdoor.
>| We have verified the IRIS backdoor doesn't exist in versions
>| prior to 3.0
>| We have tested SecureIIS 2.0 and up they all appear to have a
>| We have verified that SecureIIS 1.x series does not have this
>| specific backdoor.
>| Bringing the backdoors to light:
>| After long testing we discovered the exact sequences used to
>| active the backdoor. Unfortunately, we can't release the
>| "exploits" publically due to the severity of these flaws. But
>| incomplete examples will be given.
>| The IRIS Backdoor:
>| This one is quite interesting. We have discovered that
>| sending a specifically crafted UDP datagram to a IRIS host
>| *directly* (not through the wire or to host on the network
>| segment) with certain IP options set and a certain magic
>| value at a undisclosed offset in the payload will bind a
>| shell to the source port specified in the UDP datagram.
>| The SecureIIS Backdoor:
>| The SecureIIS backdoor was alot easier to discover but very
>| well placed. The SecureIIS backdoor is triggered by a
>| specifically crafted HTTP HEAD request. Here is a incomplete
>| layout of how to exploit this:
>| HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
>| PORT - Will be the port to bind a shell.
>| ADDRESS - Address for priority binding (0 - For any).
>| Local Deduction:
>| There are a two possiblilites here, either eEye's code has
>| been altered by some attacker or this has been sanctioned by
>| the company (or at least the developers were fully aware of this).
>| It is very very shameful that a somewhat reputable like eEye
>| is acting in a very childish, unprofessional manner. I figure
>| that is why the code is closed source. There are several
>| active exploits available that I (the author of this
>| advisory) didn't create floating around. The only logical
>| solution will be to not use the mentioned eEye products for
>| the time being or at least downgrade to the non-backdoored versions.
>| We will be investigation eEye's Blink Product for any
>| clandestine backdoors.
>| FREE pop-up blocking with the new MSN Toolbar - get it now!
>| Full-Disclosure - We believe in it.
>| Charter: http://lists.netsys.com/full-disclosure-charter.html
FREE pop-up blocking with the new MSN Toolbar – get it now!
Full-Disclosure - We believe in it.