Full Disclosure: Re: Multiple Backdoors found in eEye Products (IRIS and Secure

[Dave Aitel <dave () immunitysec com>]

Well, for all who read this (and care) I tested a moderately old version 
of SecureIIS I have installed on some VM, and I didn't see any calls to 
CreateProcess anywhere in any of the eEye DLL's. Nor did I see any 
suspicious getprocaddr's/loadlibrarya's that would indicate a backdoor.
For those who might try this little game, eEye's secureIIS is basically 
a http_filter module that loads into Inetinfo which takes requests and 
passes them off to a ncalrpc service (the event bus, as they'd call it). 
It's going to get the request about 3 times during the course of events.
Of course, this sort of thing is basically impossible to disprove - 
especially without source.
-dave


Lance Gusto wrote:

> Hey Dave,
>
>
> I cannot disclosed much information (based on request/threats made by 
> certain organizations
> whom may be involved) I am sure you can understand.
>
> But we have tested Iris versions 3.0 and up ... As I previously stated 
> it doesn't appear to
> exist in the 2.x series of Iris.
>
> I am not the main tester involved here, but I was told that there is 
> some sort of clandestine
> chaining mechanism to create the processes I believe. I will provide 
> the "lists" I have sent this
> too with more information as soon as some of the other testers 
> involved come back from their
> respective holiday breaks.
>
>
> > From: Dave Aitel <dave () immunitysec com>
> > To: Lance Gusto <thegusto22 () hotmail com>
> > Subject: Re: [Full-disclosure] Multiple Backdoors found in eEye 
> > Products (IRIS and SecureIIS)
> > Date: Wed, 29 Dec 2004 11:29:55 -0500
> >
> >
> > > The SecureIIS Backdoor:
> > >
> > > The SecureIIS backdoor was alot easier to discover but very well
> > > placed. The SecureIIS backdoor is triggered by a specifically
> > > crafted HTTP HEAD request. Here is a incomplete layout of how
> > > to exploit this:
> > Which version did you test? I'm not seeing it, or any intermodular 
> > calls to CreateProcess in the DLL that it loads up.
> > -dave
> >
> >
> > > HEAD /<24 byte constant string>/PORT_ADDRESS.ASP HTTP/1.1
> > >
> > > PORT - Will be the port to bind a shell.
> > > ADDRESS - Address for priority binding (0 - For any).
> > >
> > >
> > > [snip]
> > >
> > >
> > >
> > > Local Deduction:
> > >
> > > There are a two possiblilites here, either eEye's code has been
> > > altered by some attacker or this has been sanctioned by the
> > > company (or at least the developers were fully aware of this).
> > >
> > >
> > >
> > > Conclusion:
> > >
> > > It is very very shameful that a somewhat reputable like eEye is acting
> > > in a very childish, unprofessional manner. I figure that is why the
> > > code is closed source. There are several active exploits available 
> > > that I
> > > (the author of this advisory) didn't create floating around. The only
> > > logical solution will be to not use the mentioned eEye products for the
> > > time being or at least downgrade to the non-backdoored versions.
> > >
> > > We will be investigation eEye's Blink Product for any clandestine 
> > > backdoors.
> > > _________________________________________________________________
> > > FREE pop-up blocking with the new MSN Toolbar – get it now! 
> > > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search! 
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html