Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple Backdoors found in eEye Products (IRIS and Secure

From: Dave Aitel <dave () immunitysec com>
Date: Sun, 02 Jan 2005 16:29:54 -0500
Well, for all who read this (and care) I tested a moderately old version of SecureIIS I have installed on some VM, and I didn't see any calls to CreateProcess anywhere in any of the eEye DLL's. Nor did I see any suspicious getprocaddr's/loadlibrarya's that would indicate a backdoor.
For those who might try this little game, eEye's secureIIS is basically a http_filter module that loads into Inetinfo which takes requests and passes them off to a ncalrpc service (the event bus, as they'd call it). It's going to get the request about 3 times during the course of events.
Of course, this sort of thing is basically impossible to disprove - especially without source. 

-dave


Lance Gusto wrote:



Hey Dave,
I cannot disclosed much information (based on request/threats made by certain organizations 
whom may be involved) I am sure you can understand.
But we have tested Iris versions 3.0 and up ... As I previously stated it doesn't appear to 
exist in the 2.x series of Iris.
I am not the main tester involved here, but I was told that there is some sort of clandestine chaining mechanism to create the processes I believe. I will provide the "lists" I have sent this too with more information as soon as some of the other testers involved come back from their 
respective holiday breaks.



From: Dave Aitel <dave () immunitysec com>
To: Lance Gusto <thegusto22 () hotmail com>
Subject: Re: [Full-disclosure] Multiple Backdoors found in eEye Products (IRIS and SecureIIS) 
Date: Wed, 29 Dec 2004 11:29:55 -0500





The SecureIIS Backdoor:

The SecureIIS backdoor was alot easier to discover but very well
placed. The SecureIIS backdoor is triggered by a specifically
crafted HTTP HEAD request. Here is a incomplete layout of how
to exploit this:
Which version did you test? I'm not seeing it, or any intermodular calls to CreateProcess in the DLL that it loads up. 

-dave




HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1

PORT - Will be the port to bind a shell.
ADDRESS - Address for priority binding (0 - For any).


[snip]



Local Deduction:

There are a two possiblilites here, either eEye's code has been
altered by some attacker or this has been sanctioned by the
company (or at least the developers were fully aware of this).



Conclusion:

It is very very shameful that a somewhat reputable like eEye is acting
in a very childish, unprofessional manner. I figure that is why the
code is closed source. There are several active exploits available that I 
(the author of this advisory) didn't create floating around. The only
logical solution will be to not use the mentioned eEye products for the
time being or at least downgrade to the non-backdoored versions.
We will be investigation eEye's Blink Product for any clandestine backdoors. 

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html






_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: