Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [NETRAGARD SECURITY ADVISORY] [Cambium Group, LLC. CAMAS Content Management System -- Multiple Critical Vulnerabilities][NETRAGARD-20070820]
From: Smoking Gun <pentesterkunt () gmail com>
Date: Wed, 25 Feb 2009 09:01:26 -0500

On Tue, Feb 24, 2009 at 4:00 PM, Netragard Advisories
<advisories () netragard com> wrote:

The irony of Kevin (don't make fun of my complexion) Finisterre disclosing
he has a full time job outside of security followed by his foray into the
realm of security with "advisories" is puzzling. So Kevin isn't working in
the industry as he disclosed in his previous email which means he
obviously isn't working for "Netragard" which leads me to believe that
Netragard is merely a fictitious company formed on an IRC channel
amongst friends. Now this is not to say there is anything wrong with
this however, to trust a bunch of IRC kids on an infrastructure would
amount to career suicide. For starters outside of a modded Pentium,
they'd have little experience in the real world. Themes like DoDAF,
DIACAP, Information Security Architecture would be beyond the
scope of their understanding.

Without further-ado, I'll now speculate on the intent of this current
"Critical" advisory Netragard was gracious enough to bless the
community with.

- -------------------------------------------------------------------------------------------------
Contact                         : Adriel T. Desautels
Researcher                      : Kevin Finisterre
Vendor Notified         : 08/22/2007

[Proof Of Concept]
- -------------------------------------------------------------------------------------------------
Proof of concept code exists but is not provided as to not increase
users overall risk levels. Any website that reads "Powered by the
Group, LLC." is a CAMAS powered website.

Snake oil at it's finest. You may recall Netragard has a pay for play
scheme working where they never disclose any code. This works
to anyone's advantage as a trump card when you think about it on
a psychological warfare like scale. "We found a tumor somewhere
in your body however, we're choosing not to tell you about how we
found it, nor where it is."

Imagine if you will those words coming out of a doctor's mouth.
You have to take into account that a doctor is a professional as
should someone in this industry be - a professional. The entire
absurdity of "finding a tumor" and not revealing that tumor is
quite shady. Wouldn't you agree? You may choose to disagree
but offer some supportive argument should you choose to say

[Vendor Status and Chronology]
- -------------------------------------------------------------------------------------------------
08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered
08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail
08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to
08/27/2007 10:31:30 AM EDT - Conference Call Scheduled
08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution
08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded
09/26/2008 11:17:35 PM EDT - Issues remain unfixed
02/09/2009 09:00:00 PM EDT - Issues remain unfixed
02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation
to Netragard)
02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release

During the initial discovery by the self-impose-experts at Netragard, it
seems that Cambium performed some form of diligence in the sense
they took the time to listen to Netragard however, much can be gleaned
from Netragards own choice of wording:

08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution
08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded

At the onset of a conference call - dot dot dot - there was an immediate
breakdown. Not one day later, not one week later - according to Netragard
it occurred the minute Netragard got on call with them. This is a rather
peculiar scenario if you think about it logically. What could have been
the potential breakdown; after all, Cambium took the time out of their
schedules to do "something". Could it have been the pitch offered by
Netragard. How could that have played out?

Kevin: "We discovered a tumor"
Cambium: "We appreciate you coming to us with this news, what
have you got?"
Adriel: "Wait a minute we won't disclose to you where this tumor
is right away. What's in it for us?"
Cambium: " Gentlemen have a nice day"

There seems to be no follow-up given by Netragard other than them
(Netragard) potentially running their own super secret Kernel's
special sauce coding as they state in their own words "Issues
remain unfixed" So what was the root cause of the breakdown. To
be fair about it I tried going over this scenario while thinking about
my golf game but no scenario came to mind other than you perhaps
tried to squeeze them for money and they likely told you to piss off.
This is likely the case, I'd be willing to bet the Lexus ISF that if I
questioned someone at Cambium, they'd likely solidify that notion.
So now Simon and Adriel can play King Leotard to the rescue and
offer some response to defend their Fortune 1,000,000,000,000
IRC based company. Which makes me wonder if they even forked
out money for a limited liability corporation filing. If so where. Other
than craptastically worded advisories, there is nothing listing a
company address, "Re


Making no mistakes is what establishes the certainty of victory, for
it means conquering an enemy that is already defeated. - Sun Tzu

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]