Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS an

from [Daniel H. Renner] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS)
Date: Thu, 30 Dec 2004 22:00:55 -0800 
I recall an interview with a highly placed security executive back in
the later '90s.  In this interview he lamented being in the security
business in the United States with a line similar to:

"If you create and announce a security product in the United States, you
will very shortly have the NSA entering your premises and demanding 'Ok,
where is our backdoor?'"

And remember, eEye was started after one of it's co-founders woke up to
federal guns pointed at his head one fine morning, having been mistaken
as someone who had penetrated somewhere he shouldn't have.

Not to bash my own country here but, this leads to a question: How can
any security product, sub-product or service created in the U.S. hold
credibility even with the good intentions that the creators may have
originally had?
-- 
Cheers,

Dan
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700


Original message:
----------------------------------------------------------------------


Date: Wed, 29 Dec 2004 04:11:30 +0000
From: "Lance Gusto" <thegusto22@hotmail.com>
Subject: [Full-Disclosure] Multiple Backdoors found in eEye Products
      (IRIS   and SecureIIS)
To: vuln-dev@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com,
      bugs@securitytracker.com, full-disclosure@lists.netsys.com,
      news-editor@securityfocus.com, press@net-security.org
Message-ID: <BAY2-F402493B090143E12AE0E88CC9B0@phx.gbl>
Content-Type: text/plain; format=flowed

Multiple Backdoors found in eEye Products (IRIS and SecureIIS)
L. Gusto <thegusto22@hotmail.com>


Summary:

During meticulous testing of both eEye's IRIS and SecureIIS products,
we (my testing team) have discovered multiple backdoors in the latest of
both mentioned products and some older versions we could acquire.


These backdoors are very cleverly hidden (kudos to the authors), I
personally don't condone illegally backdooring commercial products,
and personally I don't think much of eEye but I must give credit to
where credit is due.


We have tested IRIS 3.7 and up they all appear to have a backdoor.
We have verified the IRIS backdoor doesn't exist in versions prior
to 3.0


We have tested SecureIIS 2.0 and up they all appear to have a backdoor.
We have verified that SecureIIS 1.x series does not have this specific
backdoor.

Bringing the backdoors to light:

After long testing we discovered the exact sequences used to active
the backdoor. Unfortunately, we can't release the "exploits" publically
due to the severity of these flaws. But incomplete examples will
be given.



The IRIS Backdoor:

This one is quite interesting. We have discovered that sending a
specifically crafted UDP datagram to a IRIS host *directly* (not
through the wire or to host on the network segment) with certain IP
options set and a certain magic value at a undisclosed offset in the
payload will bind a shell to the source port specified in the UDP datagram.

[snip]


The SecureIIS Backdoor:

The SecureIIS backdoor was alot easier to discover but very well
placed. The SecureIIS backdoor is triggered by a specifically
crafted HTTP HEAD request. Here is a incomplete layout of how
to exploit this:


HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1

PORT          - Will be the port to bind a shell.
ADDRESS               - Address for priority binding (0 - For any).


[snip]



Local Deduction:

There are a two possiblilites here, either eEye's code has been
altered by some attacker or this has been sanctioned by the
company (or at least the developers were fully aware of this).



Conclusion:

It is very very shameful that a somewhat reputable like eEye is acting
in a very childish, unprofessional manner. I figure that is why the
code is closed source. There are several active exploits available that I
(the author of this advisory) didn't create floating around. The only
logical solution will be to not use the mentioned eEye products for the
time being or at least downgrade to the non-backdoored versions.

We will be investigation eEye's Blink Product for any clandestine backdoors.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Full-Disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS), Daniel H. Renner <=
Previous by Date:  Re: [Full-Disclosure] Multiple Backdoors found in eEye Products(IRISand SecureIIS), Roberto Muñoz
Next by Date:  Re: [Full-Disclosure] MySQL and the user "su", Kristian Koehntopp
Previous by Thread:  [Full-Disclosure] Multiple Backdoors found in eEye Products (IRISand SecureIIS), Shunryu Suzuki
Next by Thread:  [Full-Disclosure] Microsoft Data Access Dav1.1 PoC, CorryL
Indexes:  [Date] [Thread] [Top] [All Lists]