Full Disclosure mailing list archives
Re: Multiple Backdoors found in eEye Products (IRIS and Secure
From: "Lance Gusto" <thegusto22 () hotmail com>
Date: Wed, 29 Dec 2004 21:03:02 +0000
Hey Dave,I cannot disclosed much information (based on request/threats made by certain organizations
whom may be involved) I am sure you can understand.But we have tested Iris versions 3.0 and up ... As I previously stated it doesn't appear to
exist in the 2.x series of Iris.I am not the main tester involved here, but I was told that there is some sort of clandestine chaining mechanism to create the processes I believe. I will provide the "lists" I have sent this too with more information as soon as some of the other testers involved come back from their
respective holiday breaks.
From: Dave Aitel <dave () immunitysec com> To: Lance Gusto <thegusto22 () hotmail com>Subject: Re: [Full-disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS)Date: Wed, 29 Dec 2004 11:29:55 -0500The SecureIIS Backdoor: The SecureIIS backdoor was alot easier to discover but very well placed. The SecureIIS backdoor is triggered by a specifically crafted HTTP HEAD request. Here is a incomplete layout of how to exploit this:Which version did you test? I'm not seeing it, or any intermodular calls to CreateProcess in the DLL that it loads up.-daveHEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1 PORT - Will be the port to bind a shell. ADDRESS - Address for priority binding (0 - For any). [snip] Local Deduction: There are a two possiblilites here, either eEye's code has been altered by some attacker or this has been sanctioned by the company (or at least the developers were fully aware of this). Conclusion: It is very very shameful that a somewhat reputable like eEye is acting in a very childish, unprofessional manner. I figure that is why the code is closed source. There are several active exploits available that I (the author of this advisory) didn't create floating around. The only logical solution will be to not use the mentioned eEye products for the time being or at least downgrade to the non-backdoored versions.We will be investigation eEye's Blink Product for any clandestine backdoors._________________________________________________________________FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_________________________________________________________________Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Multiple Backdoors found in eEye Products (IRIS and Secure Lance Gusto (Jan 06)
- Re: Multiple Backdoors found in eEye Products (IRIS and Secure Dave Aitel (Jan 02)
- Re: Multiple Backdoors found in eEye Products (IRIS and Secure Blue Boar (Jan 06)
- Re: Multiple Backdoors found in eEye Products (IRIS and Secure Paul Schmehl (Jan 06)
- Re: Multiple Backdoors found in eEye Products (IRIS and Secure Blue Boar (Jan 06)
- Re: Multiple Backdoors found in eEye Products (IRIS and Secure Dave Aitel (Jan 02)