mailing list archives
GOBBLES Reflection on the msn666 Hole
From: gobbles () hushmail com
Date: Sat, 15 Jun 2002 09:33:02 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday, June 13th, a mail appeared on the Bugtraq (do not confuse with Bugtraq.org) mailing list titled,
"Sensitive IM Security - MSN Message Sniffing". Someone brought it to our attention on IRC (greets to all our friends
in #!GOBBLES, and all our friends who have been with us there), and we took a look at the code.
A few minute later, we sent the author email concerning the insecure sscanf() statement in his code, and suggested that
he fix it (along with many other problems in the code). His response: "There is no problem." One of his friends, from
underground.co.kr, suggested to us that this was an intentional feature, and that there had already been discussion of
comprimising hosts, targetted from the IP's in the access_log's.
We then immediately wrote up an advisory/alert and sent it out to the mailing lists. We received immediate criticism.
This is expected however, for any of our actions. We're doing a good job of making friends in this security world,
although we are quite famous, and in the end that's really all that matters.
Soon, the author of the msn666 posted to the mailing lists stating "there is no problem", and also indicating that even
if there was a bug, it woudln't be significant because no one will "use this as a server like apache or mysql", which
is quite nonsensical to us. It's a sniffer, not a daemon. Look at the massive (in)security history with tcpdump --
again, not a daemon, but a process that can be _REMOTELY_EXPLOITED_.
After this dialouge, we quickly wrote up a second advisory, and published a fully working proof-of-concept exploit.
And yet, the author continues to deny the existance of a bug.
Look, if it wasn't actually a "backdoor", and was just lame coding, we apologize for the statements we made, and will
give your underground.or.kr friend hell for lying to us about your true motivations. However, seeing as how you've
handled it since then, it'll be hard to convince us that we're wrong -- logic is on our side.
As of today, the hole is still present in msn666. Maybe it'll get patched.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
-----END PGP SIGNATURE-----
- GOBBLES Reflection on the msn666 Hole gobbles (Jun 15)