Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS an

from [Lance Gusto] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and Secure
Date: Wed, 29 Dec 2004 21:03:02 +0000 

Hey Dave,


I cannot disclosed much information (based on request/threats made by certain organizations
whom may be involved) I am sure you can understand.

But we have tested Iris versions 3.0 and up ... As I previously stated it doesn't appear to
exist in the 2.x series of Iris.

I am not the main tester involved here, but I was told that there is some sort of clandestine
chaining mechanism to create the processes I believe. I will provide the "lists" I have sent this
too with more information as soon as some of the other testers involved come back from their
respective holiday breaks.


From: Dave Aitel <dave@immunitysec.com>
To: Lance Gusto <thegusto22@hotmail.com>
Subject: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS)
Date: Wed, 29 Dec 2004 11:29:55 -0500




The SecureIIS Backdoor:

The SecureIIS backdoor was alot easier to discover but very well
placed. The SecureIIS backdoor is triggered by a specifically
crafted HTTP HEAD request. Here is a incomplete layout of how
to exploit this:


Which version did you test? I'm not seeing it, or any intermodular calls to CreateProcess in the DLL that it loads up.

-dave



HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1

PORT - Will be the port to bind a shell.
ADDRESS - Address for priority binding (0 - For any).


[snip]



Local Deduction:

There are a two possiblilites here, either eEye's code has been
altered by some attacker or this has been sanctioned by the
company (or at least the developers were fully aware of this).



Conclusion:

It is very very shameful that a somewhat reputable like eEye is acting
in a very childish, unprofessional manner. I figure that is why the
code is closed source. There are several active exploits available that I
(the author of this advisory) didn't create floating around. The only
logical solution will be to not use the mentioned eEye products for the
time being or at least downgrade to the non-backdoored versions.

We will be investigation eEye's Blink Product for any clandestine backdoors.

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar ? get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and Secure, Lance Gusto <=
Previous by Date:  RE: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRISand SecureIIS), Marc Maiffret
Next by Date:  [Full-Disclosure] Trivial Bug in Symantec Security Products, J. Oquendo
Previous by Thread:  RE: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRISand SecureIIS), Marc Maiffret
Next by Thread:  [Full-Disclosure] Trivial Bug in Symantec Security Products, J. Oquendo
Indexes:  [Date] [Thread] [Top] [All Lists]