FW: HP Full Disclosure Story (fwd)

[full-disclosure () lists netsys com (hellNbak)]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

------=_NextPart_000_000C_01C24A80.D7BEF300
Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <NMRC.666.6.66.0208231031402.12501 () www nmrc org>

Note to HP - Please take the resume I (Steve Manzuik) was asked to submit
to your Canadian consulting practice a few months ago and shove it directly
up Dan Grove's and the rest of your so called security teams collective
asses with no lube.  I would rather flip burgers than lower myself to even
considering working for an organization such as yours.

Furthermore, I have forwarded the attached email to *ALL* of my clients
which include fortune 100 and fortune 500 organizations in the United
States and Canada.  Your use of September 11th to try and scare a
legitimate researcher, who has in the past proven to be very responsible,
is pathetic and a shoddy attempt at trying to force Tamer Sahin into not
releasing his findings and therefore saving HP the time, effort, and money
to fix something they should have done right in the first place.

You suck.

--=20
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-

---------- Forwarded message ----------
Date: Fri, 23 Aug 2002 08:41:06 -0700
From: Steve <steve () entrenchtech com>
To: steve () entrenchtech com
Subject: FW: [Full-disclosure] HP Full Disclosure Story

Read the attached text. It is scary how HP is using Sept. 11 and several
of the reactionary Sept 11 fear laws to threaten a security researcher
who, 1.)  Doesn't even reside in the USA, and 2.) Has a history of being
responsible with handling his vulnerabilities.  Makes me wonder if HP
isn=92t going to try and sue Tamer or have him charged under the US DMCA
like they did to Snosoft.

> Hello Folks,
> =A0
> In January, have found a security hole in HP AdvanceStack
> switches. This
> vulnerability affected 8 different swicth models. There had been an
> interesting mail traffic between HP Security Response Team
> and me. I compiled
> it from my mail archive lastly and I thought that it would take your
> attention.
> =A0
> Best Regards;
> =A0
> Tamer Sahin
> http://www.securityoffice.net

------=_NextPart_000_000C_01C24A80.D7BEF300
Content-Type: TEXT/PLAIN; NAME="hp.txt"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <NMRC.666.6.66.0208231031403.12501 () www nmrc org>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="hp.txt"

*************************************************************************=
*******************=0A=
I a sending my first security anouncement to security-alert () hp com and i =
am specifying=0A=
that in at least 4 days, if there is no response, i will publish this =
vulnerebility without=0A=
any patch. (this time is like a law that is not ruled. in "vulnerability =
disclosure" procedure)=0A=
*************************************************************************=
*******************=0A=
=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
From: ts () securityoffice net=0A=
To: security-alert () hp com=0A=
=0A=
Hewlett Packard AdvanceStack Switch Managment Authentication Bypass =
Vulnerability=0A=
=0A=
Type:=0A=
Access Validation Error=0A=
=0A=
Release Date:=0A=
January 29, 2002=0A=
=0A=
Product / Vendor:=0A=
HP AdvanceStack 10Base-T Switching Hubs combine economical 10Base-T=0A=
functionality with the performance of switching. Each switching hub=0A=
starts out as a simple, single-segment, shared 10Base-T hub.=0A=
=0A=
http://www.hp.com=0A=
=0A=
Summary:=0A=
A problem with the HP switch allows some users to change=0A=
configuration of the switch. A bug introduced in the HP AdvanceStack=0A=
J3210A that could allow users full access on the switch. Upon taking=0A=
advantage of this vulnerability, the user could change the=0A=
configuration of the switch and could change admin password.=0A=
=0A=
Therefore, it is possible for a superuser password changing with=0A=
unprivileged access on the switch to gain elevated privileges, and=0A=
potentially change configuration of the switch.=0A=
=0A=
An attacker can get unauthorized access to the switch read/write=0A=
password change page this page http://host/security/web_access.html=0A=
and change superuser password. Connect superuser privileged via Web=0A=
or Telnet.=0A=
=0A=
Tested:=0A=
HP J3210A AdvanceStack=0A=
=0A=
Vulnerable:=0A=
HP J3210A AdvanceStack=0A=
=0A=
Policy:=0A=
This vulnerability is explained to the HP <security-alert () hp com>=0A=
mail adress via email at January 29, 2002. It won't be published to=0A=
the public eye before I receive a mail about correcting this=0A=
vulnerability. But if I don't get a reply within 4 days, this=0A=
security notification will be announced without any information to=0A=
HP.=0A=
=0A=
Disclaimer:=0A=
http://www.securityoffice.net is not responsible for the misuse or=0A=
illegal use of any of the information and/or the software listed on=0A=
this security advisory.=0A=
=0A=
Author:=0A=
Tamer Sahin=0A=
ts () securityoffice net=0A=
http://www.securityoffice.net=0A=
=0A=
Tamer Sahin=0A=
http://www.securityoffice.net=0A=
PGP Key ID: 0x2B5EDCB0 Fingerprint:=0A=
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0=0A=
=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
=0A=
**********************************************=0A=
Their response: they wanted time over 4 days=0A=
**********************************************=0A=
=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
From: security-alert () hp com=0A=
To: ts () securityoffice net=0A=
=0A=
Hello Tamer,=0A=
=0A=
Thanks for the notification.  We are investigating the issue now.=0A=
Hopefully this message is the response you were looking for by=0A=
the four day deadline.=0A=
=0A=
If you need to e-mail more details please use the=0A=
security-alert PGP key, available from your local key=0A=
server, or by sending a message with a -subject- (not body)=0A=
of 'get key' (no quotes) to security-alert () hp com.=0A=
=0A=
=0A=
Yours truly,=0A=
John=0A=
***********************************************************=0A=
* John Morris  HP Security Team - X11 and Graphics        *=0A=
* Atlanta (404) 648-2185      e-mail: john_morris () hp com *=0A=
***********************************************************=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
=0A=
*********************************************************************=0A=
And a week passes and there is no response from HP SECURITY RESPONSE =
TEAM.=0A=
I send a mail and i say them that the time passes over and=0A=
if they do not publish a patch i will publish the hole in the security=0A=
mailing lists. Upon this, the opposite site understands this mail as a=0A=
threat with no meaning.And responds me with nonsense style. with words =
such;=0A=
we are 50 billion dollared company...etc... (I could not find the mail =
that=0A=
i have written about "4 day time" in my mail archieve,so i could not =
paste it here)=0A=
**********************************************************************=0A=
=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
From: security-alert () hp com=0A=
To: ts () securityoffice net=0A=
=0A=
IMPORTANT - PLEASE READ:=0A=
This e-mail message and any files transmitted with=0A=
it are intended solely for the addressee and are=0A=
confidential. Copyright in them is reserved by=0A=
dan_grove () hp com, and you may not copy, publish=0A=
or use them in any way without pgp signed permission=0A=
from dan_grove () hp com.=0A=
=0A=
Hi Tamer,=0A=
=0A=
I'm sorry to see the threatening tone in your message.=0A=
=0A=
We did reply, and you are making the assumption that your=0A=
issue is the only one we have to work on, and that it is=0A=
the most important.=0A=
=0A=
Regardless, we do not respond to threats of publishing=0A=
exploits, and we do not give out advance patch code unless=0A=
we need it to be beta tested, which is rare. We work on the=0A=
issues based on their severity in relation to the other issues,=0A=
and in most cases publish an HP Security Bulletin when the=0A=
tested solution is ready for customers to use.=0A=
=0A=
Let me be very candid here, you are not the first to assume=0A=
that a $50 billion corporation will drop all the other security=0A=
issues we are working on in order to work on yours because=0A=
you threaten to publish. It has never changed the course of=0A=
our work internally; we will continue to work on the issue=0A=
until it is tested and finished.=0A=
=0A=
If you decide not to publish, we would appreciate it. If you do=0A=
publish then, worst case, all that will be accomplished is=0A=
that you may cause a business somewhere to be compromised,=0A=
and they may turn to you or your company for compensation for=0A=
their financial losses. In the best case, due to September 11, 2001,=0A=
you may end up on various government agencies' "watch lists,"=0A=
and your potential career in the computer business may be=0A=
altered in ways you did not intend.=0A=
=0A=
The choice is yours. We are doing our job ethically in solving the=0A=
issue. Are you doing yours to protect businesses worldwide?=0A=
=0A=
_______________Dan Grove______________=0A=
___HP S/W Security Team Coordinator___=0A=
__Worldwide Technology Expert Center__=0A=
_______Hewlett-Packard Company________=0A=
___________dan_grove@hp.com___________=0A=
______In Cyberspace, be afraid,_______=0A=
__________ be very afraid!"___________=0A=
______________________________________=0A=
__Reach us at:=0A=
 <mailto:security-alert () hp com>=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
=0A=
***************************************************=0A=
Later, here is my answer to the Security Chief who=0A=
found my mail so threatening..=0A=
***************************************************=0A=
=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
From:  ts () securityoffice net=0A=
To: security-alert () hp com=0A=
=0A=
Hi Dan,=0A=
=0A=
First of all I couldn't understand your threatening attitude. The=0A=
reason for my earlier mail was taking information about a subject.=0A=
And you are in a completely threatening manner. I would have=0A=
published this anouncement without waiting for your patch to be=0A=
released, if I wished... But if you are hiding behind your big=0A=
corporation and threatening me, this is really ridiculous and thought=0A=
provoking...=0A=
=0A=
I won't publish this anouncement and waiting reply for your solution=0A=
or a patch.=0A=
=0A=
We have published several anouncements before for companies like=0A=
Microsoft and AOL. But as big as your company's, HP, reply to this=0A=
case taught me how HP approaches deformed...=0A=
=0A=
Tamer Sahin=0A=
http://www.securityoffice.net=0A=
PGP Key ID: 0x2B5EDCB0 Fingerprint:=0A=
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
=0A=
****************************************************=0A=
Later, the man gets more aggressive and  tries to frighten=0A=
me meaning that i could be in the blacklist of USA after 11=0A=
September just because to keep me away from publishing the=0A=
security anouncement about HP.=0A=
****************************************************=0A=
=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
From: security-alert () hp com=0A=
To: ts () securityoffice net=0A=
=0A=
Hi Tamer,=0A=
=0A=
I'm sorry you perceived my previous message as threatening.=0A=
That is not the case - we are not threatening, but simply=0A=
setting expectations that we don't respond to threats of=0A=
publishing, and because the climate for security in general=0A=
has changed in the USA after September 11, 2001, we are=0A=
setting expectations for the possible results for you if=0A=
you do publish. When we deal with responsible security teams,=0A=
they do not send dated draft copies of what they are going to=0A=
publish, which would seem to indicate that they intend to=0A=
publish on that date.=0A=
=0A=
I am glad you are not publishing, but to further set expectations,=0A=
we do not discuss anything with the submitter (dates for=0A=
patches, timelines, our solution, etc...) except if we have=0A=
further technical questions to help us understand the problem.=0A=
=0A=
We appreciate you raising the issue, and will be happy to work=0A=
with you if needed on this issue, but we will not respond to=0A=
publishing threats that put our customer base at risk.=0A=
=0A=
I am currently out of my office until February 11th, and can=0A=
only get on line randomly as I'm traveling in the western USA.=0A=
So please send all communication to securtiy-alert () hp com=0A=
so that the team in the office sees the emails and can respond.=0A=
=0A=
_______________Dan Grove______________=0A=
___Member Board of Directors FIRST____=0A=
___Member Steering Committee FIRST____=0A=
____Chief Financial Officer FIRST_____=0A=
_______ http://www.first.org _________=0A=
___HP S/W Security Team Coordinator___=0A=
__Worldwide Technology Expert Center__=0A=
_______Hewlett-Packard Company________=0A=
___________dan_grove@hp.com___________=0A=
______650-691-8611 (telecommuter)_____=0A=
______In Cyberspace, be afraid,_______=0A=
__________ be very afraid!"___________=0A=
______________________________________=0A=
__Reach us at security-alert@hp.com___=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
=0A=
*****************************************************=0A=
Just after this mail i published the security alert on=0A=
my site and other secuity sites. and instantaneously,=0A=
after 2 days, they puslished the security anouncement.=0A=
That is to say, they can be so fast if they want!!=0A=
*****************************************************=0A=
=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=
From: security-alert () hp com=0A=
To: ts () securityoffice net=0A=
=0A=
HPSBUX0202-185: Sec. Vulnerability with HP AdvanceStack hubs=0A=
Published: Feb 12, 2002=0A=
Updated: Feb 12, 2002=0A=
=0A=
Document ID:  HPSBUX0202-185=0A=
Date Loaded:  20020212=0A=
Title:  Sec. Vulnerability with HP AdvanceStack hubs=0A=
=0A=
-----------------------------------------------------------------=0A=
HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #0185,=0A=
Originally issued: 12 Feb. 2002=0A=
-----------------------------------------------------------------=0A=
=0A=
The information in the following Security Advisory should be acted=0A=
upon as soon as possible.  Hewlett-Packard Company will not be=0A=
liable for any consequences to any customer resulting from customer's=0A=
failure to fully implement instructions in this Security Advisory as=0A=
soon as possible.=0A=
=0A=
------------------------------------------------------------------=0A=
PROBLEM:  Security vulnerability when managing HP Switching=0A=
Hubs with a web browser.=0A=
=0A=
PLATFORM: HP AdvanceStack J3200A, J3201A, J3202A, J3203A, J3204A,=0A=
J3205A, J3210A with firmware version A.03.02.=0A=
=0A=
DAMAGE:   Gain elevated privileges=0A=
=0A=
SOLUTION: Until a fix is available, work around the problem as=0A=
documented below.=0A=
=0A=
MANUAL ACTIONS: Disable web access or remove the management IP=0A=
address.=0A=
=0A=
AVAILABILITY:  This advisory will be updated when a fix is=0A=
available.=0A=
=0A=
 ------------------------------------------------------------------=0A=
A. Background=0A=
The following are vulnerable:=0A=
=0A=
J3210A -- HP AdvanceStack 10BT Management Pack Module for use=0A=
with HP AdvanceStack Switching Hubs=0A=
J3200A -- HP Advancestack 10Base-T S Hub-12R*=0A=
J3201A -- HP AdvanceStack 10BT-S Hub-12R w/Mgmt=0A=
J3202A -- HP AdvanceStack 10Base-T S Hub-24R*=0A=
J3203A -- HP AdvanceStack 10BT-S Hub-24R w/Mgmt=0A=
J3204A -- HP AdvanceStack 10Base-T S Hub-24T*=0A=
J3205A -- HP AdvanceStack 10BT-S Hub-24T w/Mgmt=0A=
* This product is not affected unless J3210A is installed within.=0A=
=0A=
The vulnerable firmware version is A.03.02.=0A=
=0A=
B. Fixing the problem=0A=
There are two ways to work around the problem:=0A=
=0A=
1. Disable web access using telnet or RS-232 interface=0A=
a. Telnet or console into switch=0A=
b. Type "me" for menu=0A=
c. Hit "2" for Management Access Configuration=0A=
d. Hit "6" for Web enable/disable (verify it is disabled)=0A=
=0A=
2. Remove the management IP address=0A=
a. Telnet or console into switch=0A=
b. Type "me" for menu=0A=
c. Hit "2" for Management Access Configuration=0A=
d. Hit "1" for IP Configuration=0A=
e. Hit "Y" to Change the IP configuration=0A=
f. Choose "D" to disable segment=0A=
g. Choose "D" to Disable (and verify it is disabled)=0A=
(Repeat F & G for each IP assigned-segment as necessary.)=0A=
=0A=
NOTE! Disabling IP while connected via telnet will disconnect=0A=
your session.=0A=
=0A=
C. Recommended solution=0A=
Until a fix is available work around the problem by either=0A=
disabling web access or removing the management IP address.=0A=
=0A=
=0A=
D. To subscribe to automatically receive future NEW HP Security=0A=
Bulletins from the HP IT Resource Center via electronic=0A=
mail, do the following:=0A=
=0A=
Use your browser to get to the HP IT Resource Center page at:=0A=
=0A=
http://itrc.hp.com=0A=
=0A=
Use the 'Login' tab at the left side of the screen to login=0A=
using your ID and password.  Use your existing login or the=0A=
"Register" button at the left to create a login, in order to=0A=
gain access to many areas of the ITRC.  Remember to save the=0A=
User ID assigned to you, and your password.=0A=
=0A=
In the left most frame select "Maintenance and Support".=0A=
=0A=
Under the "Notifications" section (near the bottom of=0A=
the page), select "Support Information Digests".=0A=
=0A=
To -subscribe- to future HP Security Bulletins or other=0A=
Technical Digests, click the check box (in the left column)=0A=
for the appropriate digest and then click the "Update=0A=
Subscriptions" button at the bottom of the page.=0A=
=0A=
or=0A=
=0A=
To -review- bulletins already released, select the link=0A=
(in the middle column) for the appropriate digest.=0A=
=0A=
To -gain access- to the Security Patch Matrix, select=0A=
the link for "The Security Bulletins Archive".  (near the=0A=
bottom of the page)  Once in the archive the third link is=0A=
to the current Security Patch Matrix. Updated daily, this=0A=
matrix categorizes security patches by platform/OS release,=0A=
and by bulletin topic.  Security Patch Check completely=0A=
automates the process of reviewing the patch matrix for=0A=
11.XX systems.=0A=
=0A=
For information on the Security Patch Check tool, see:=0A=
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/=0A=
displayProductInfo.pl?productNumber=3DB6834AA"=0A=
=0A=
The security patch matrix is also available via anonymous ftp:=0A=
=0A=
ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix=0A=
=0A=
On the "Support Information Digest Main" page:=0A=
click on the "HP Security Bulletin Archive".=0A=
=0A=
=0A=
To report new security vulnerabilities, send email to=0A=
=0A=
security-alert () hp com=0A=
=0A=
Please encrypt any exploit information using the=0A=
security-alert PGP key, available from your local key=0A=
server, or by sending a message with a -subject- (not body)=0A=
of 'get key' (no quotes) to security-alert () hp com.=0A=
Permission is granted for copying and circulating this=0A=
Advisory to Hewlett-Packard (HP) customers (or the Internet=0A=
community) for the purpose of alerting them to problems,=0A=
if and only if, the Advisory is not edited or changed in=0A=
any way, is attributed to HP, and provided such reproduction=0A=
and/or distribution is performed for non-commercial purposes.=0A=
=0A=
Any other use of this information is prohibited. HP is not=0A=
liable for any misuse of this information by any third party.=0A=
__________________________________________________=0A=
-----End of Document ID: HPSBUX0202-185-----=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DSNIP=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=0A=

------=_NextPart_000_000C_01C24A80.D7BEF300--