Re: [Full-disclosure] Universal Website Hijacking by Exploiting Firewall Content Filtering Features + SonicWALL firewalls 0day


Shut up
-----Original Message-----
From: Adrian P [mailto:unknown.pentester@xxxxxxxxx]
Sent: 1. november 2008 04:05
To: Fionnbharr
Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Universal Website Hijacking by Exploiting
Firewall Content Filtering Features + SonicWALL firewalls 0day

Hi Fionnbharr,

Well, that's fair enough. tbh, I couldn't find older examples, but this
is one of the points of sending a post to the lists: other people can
review it and give feedback. I just sometimes wished people were more
constructive on FD.

Regarding the paper, well, it can be useful for people who want to find
a similar issue in their firewall/proxy appliances. Don't you think?

No need to call anyone names IMO. And please, why do people keep
attacking Kaminsky? He has greatly contributed to the infosec community
so please give him some credit!

Thanks for your email anyway. Perhaps, you could have expressed yourself
in a less aggressive/more constructive manner?

Regards,
ap.

On Fri, Oct 31, 2008 at 10:18 PM, Fionnbharr <thouth@xxxxxxxxx> wrote:
Sure, this attack vector has been 'discovered' by lots of people in
the past, or even concurrently, thats my point. It doesn't merit a
whole paper on it. Not to mention you're getting on the FUD/Kaminsky
bandwagon when GNUtards release a statement like 'New technique to
universally hijack websites', trying to get some media attention for
something everyone else already knew.

re: the bluecoat vuln, if you read my post I just said it was a recent

(or as you might put it, *recent*) example of this type of
vulnerability. I've this sort of vuln myself with client software and
so has a number of other people I know. Glad to see the majority of
your email is completely irrelevant.


2008/11/1 Adrian P <unknown.pentester@xxxxxxxxx>:
Hello Fionnbharr,

Please see my response to your comments in-line.

On Fri, Oct 31, 2008 at 8:31 AM, Fionnbharr <thouth@xxxxxxxxx> wrote:
This isn't new. It isn't even a technique.

http://www.bluecoat.com/support/securityadvisories/icap_patience

A very recent example of this kind of vulnerability. My god you
gnucitizen people are retarded. At least you didn't give it a
ridiculous name like 'clickjacking'. Can you GNUtards please keep
your 'research' into subjects people already know to yourself or at
least not post it the lists, then at least I won't have to see it.

That Bluecoat advisory was released on 29 September 2008. What makes
you think that I did not discover the SonicWALL vulnerability/vector
and reported it to ZDI *way before* that date? Well, FYI I reported
it to ZDI in June 2008 and discovered it even before.

At least, you should consider the possibility of the attack vector
being discovered by two researchers concurrently. It can take quite a

few months before the vendor provides a patch, not to mention that
SonicWALL was VERY slow to confirm the vulnerability.

Don't you know that responsible disclosure means that the details of
a vulnerability can be held for quite a while before being released
to the public? Since when the publishing date of an advisory is equal

to discovery date?

Furthermore, it appears that Bluecoat only released their advisory
*after* the researcher jplopezy made his advisory public, which could

suggest that he did NOT inform the vendor before releasing the
details:

http://www.securityfocus.com/archive/1/496940/30/0/threaded

It's also interesting that the researcher released the advisory
(bugtraq post) one day *after* I published the general description of

the attack:

June 25th, 2008.
ZDI forwards my findings to SonicWALL (see "Disclosure Timeline"):
http://www.zerodayinitiative.com/advisories/ZDI-08-070/

September 20th, 2008.
I publish the general description of the attack:
http://www.gnucitizen.org/blog/new-technique-to-perform-universal-web
site-hijacking/

September 21th, 2008.
Researcher jplopezy finds the same attack vector on BlueCoat's web
filter:
http://www.securityfocus.com/archive/1/496577/30/0/threaded

Notice jplopezy published the bugtraq post *one day after* I
published the general attack description on GNUCITIZEN. Interesting?

Please do your homework before many any accusations.


Also "Malaysia: Cracking into Embedded Devices and Beyond!", who the

*** uses the word 'cracking' instead of 'hacking' in 2008? Sure for

cracking passwords, but wow.

Can't you accept the idea some some of us still consider hacking and
breaking into a system not necessarily the same thing?

Regards,
ap.


2008/10/31 Adrian P <unknown.pentester@xxxxxxxxx>:
Hello folks,

Yesterday, I presented for the first time [1] a new method to
perform universal website hijacking by exploiting content filtering

features commonly supported by corporate firewalls. I briefly
discussed [2] the finding on GNUCITIZEN in the past without giving
away the details, but rather mentioning what the attacker can do
and some characteristics of the attack.

Anyway, I'm now releasing full details on how the technique works,
and a real 0day example against SonicWALL firewalls.

The paper can be found on the GNUCITIZEN labs site. Please let me
know if you can successfully use the same technique against
firewalls by other vendors:

http://sites.google.com/a/gnucitizen.org/lab/research-papers

Finally, I'd like to thank Zero Day Initiative [3] for their great
work and the Hack in the Box crew for organizing such a fine event!

Regards,
ap.

REFERENCES

[1] "HITBSecConf2008 - Malaysia: Cracking into Embedded Devices and
Beyond!"
http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=186

[2] "New technique to perform universal website hijacking"
http://www.gnucitizen.org/blog/new-technique-to-perform-universal-w
ebsite-hijacking/

[3] "SonicWALL Content-Filtering Universal Script Injection
Vulnerability"
http://www.zerodayinitiative.com/advisories/ZDI-08-070/

--
Adrian "pagvac" Pastor | GNUCITIZEN gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading