Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Vulnerabilities in *McAfee.com
From: Cal Leeming <cal () foxwhisper co uk>
Date: Wed, 30 Mar 2011 20:33:56 +0100

On Wed, Mar 30, 2011 at 8:29 PM, Ryan Sears <rdsears () mtu edu> wrote:


How about the scenario in which one statically audit's some javascript
sitting on a site, to notice it does something in an unsafe manner, and can
be used in a XSS attack without actually making it happen?. There was no
actual 'attacking' done, but there was still a vulnerability discovered. Is
THAT considered an illegal act? Is putting a '<3' into a web form/comment
section considered attacking it if you look at the source to see how the
character translated? What if you just wanted to make an ascii heart? My
point is it's a very blurry line, and there are a lot of scenarios where one
may discover a vulnerability without even having to do anything.


Like with most laws, the key point is "intent". If your intention was
clearly not malicious, then you are safe.



As for the source code disclosures, there was absolutely no 'attacking'
done. This was a huge oversight in the site devs, and they were giving that
information to anyone who requested it, plain and simple. What about the
Tumblr incident that happened a while ago? Just because they screwed up a
production script, they ended up leaking massive amounts of internal
infrastructure details, as well as private API keys, and other stuff that
could be used for nefarious means. Is it illegal to visit that page? I think
not, as THEY were putting the information out there (albeit by accident),
but I as a user have no way to know that.

I understand what you're saying about them not asking people to look for
bugs, but it IS the internet. Companies don't typically ask external people
to audit their executables either, but people do it for a number of reasons
(mainly education).

If they leave their site up, people will potentially poke at it. That's
just the way it is. If I have a vested interest in a company (be it monetary
or simply supporting it's cause), I personally want to see the site
flourish, because I am then a part of that site. I want to make sure that my
personal information is protected, and if I do find a bug somewhere, I
report it. I recently found a XSS in OpenDNS's landing page, and they were
very appreciative, very professional, and prompt to respond. This made me
WANT to work with them further to ensure that their infrastructure was
hardened to other forms of attack as well. I don't disclose these sorts of
issues publicly, because I give the developers a chance to fix it, and in my
past experience most companies are happy that I reported an issue, because I
could have just as easily not said anything. If it does come down to it
though, I follow my own public disclosure policy (
http://talesofacoldadmin.com/disclosure.html) based off Rain Forest
Puppy's. It basically just asks for somewhat consistent lines of
communication after I disclose something. If the communication drops (or is
non-existent), then it's at my own discretion to disclose it in a public
forum.

I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but
if choosing to disclose something (even in private) means potential legal
troubles, then that takes away the motivation for me to disclose it in any
form. I'm still going to be finding bugs for my own educational purposes,
but I'll just stop disclosing them. That in itself starts to undermine the
internet as a whole, leading to the restriction of information exchange,
which is appalling.

It IS technically illegal to do these sorts of tests without consent, but
at what point DOES it become a 'test'? There's some cases, granted, in which
the intention is clear (testing for blind SQL injections, etc) as they leave
a huge footprint, but there's no explicitly clear line in which it becomes
illegal. Is adding a ' to my name illegal? What if my 70+ year old
grandmother did it by accident? Could she be persecuted as well? You can't
apply the law to only some situations and not others.

I also point you to one of my favorite XKCD's => http://xkcd.com/327/

Is naming your kid something like that technically illegal? Then that
starts getting into free-speech issues, which are most certainly protected
by the constitution. If I want my name to be "Ann <! () #$%^&*()> Hero", and
the site doesn't explicitly tell me I can't do so, then how can I be
expected to reasonably know where their boundaries are? I don't see any
terms of use for using their website anywhere.

This is all just my opinion though, and sorry for the long message!

Ryan

----- Original Message -----
From: "Thor (Hammer of God)" <thor () hammerofgod com>
To: "Ryan Sears" <rdsears () mtu edu>, noloader () gmail com
Cc: "full-disclosure" <full-disclosure () lists grok org uk>
Sent: Wednesday, March 30, 2011 2:12:37 PM GMT -05:00 US/Canada Eastern
Subject: RE: [Full-disclosure] Vulnerabilities in *McAfee.com

Well, I think there is a flip side to this, and that is the fact that no
one is asking these people to inspect their sites for vulnerabilities.
They are taking it upon themselves to scan the sites actively looking for
vulnerabilities for the sole purpose of exposing them.  They may say that
they are doing it "to ensure that the vendors fix their problems" but it's
not really any of their business to do so.

I think someone would be hard pressed to justify (defend) their actions
when they basically "attack" a site that they don't own, without permission,
with the express intent of finding a vulnerability.  That's the difference
between a "test" and an "attack."   It doesn't matter how trivial their
finds are, or what the outcome of the scan is, it is the fact that no one
asked, nor wants them to do this.

Technically, what they are doing is in fact illegal - in the US anyway.
So there is another aspect of this that deserves some discussion, I think.

t


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
bounces () lists grok org uk] On Behalf Of Ryan Sears
Sent: Wednesday, March 30, 2011 10:45 AM
To: noloader () gmail com
Cc: full-disclosure
Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com

Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that
matter),
if anyone should understand that a XSS should really only be construed a
'criminal act' if it's indeed used to attack someone. If a group is taking
the time
out of their day to find and disclose issues to Mcafee, they should
probably be
thankful. What about finding a vulnerability in Mcafee's virus scanner?
Could
that be construed as a 'criminal act' if they disclose it? Where do you
draw the
line?

Basically this sort of thing pushes the community into silence until
something
truly criminal happens. I'm not saying give anyone massive amounts of
credit
for publishing a few XSS bugs (because there's millions of them out
there),
but don't label them as a criminal for trying to help. That's just idiotic
IMO.

If you run an enterprise level solution for antivirus AND web
vulnerability
testing, the community understands that it's a process not unlike any
other.
There will be bugs, but it only demolishes the image of Mcafee to see them
handle it like this in particular. If they would have been appreciative
about it,
and promptly fixed their website (or at the very least maintained friendly
contact) this incident would have pretty much gone un-noticed.

Look at LastPass as an example.

http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html

They had someone poking at their site, who managed to find a XSS bug using
CRLF injections. They were appreciative of the find, 2.5 hrs later the
issue was
fixed, and there was that blog post about exactly what they were going to
do
about it. They took full responsibility for the fact that THEIR coding was
to
blame, and basically said 'This is what happened, and this is why it will
probably never happen again'. This spoke hugely to me (as I'm sure it did
the
rest of the community) because it shows a company that's willing to admit
it
made a mistake, as opposed to sitting on their haunches and blaming people
for looking for these sorts of bugs. Oh and not every customer of their
service
has to pay massive licensing fees, as there's a free version as well. In
my mind
at least this equates to a company that cares more about their customers
that
don't pay a single dime, then a company who forces people to pay massive
amounts of coin for shaky automated scanning and services. That's just the
way I see it though.


Someone's gotta tell the emperor he has no clothes on.

Ryan

----- Original Message -----
From: "Jeffrey Walton" <noloader () gmail com>
To: "YGN Ethical Hacker Group" <lists () yehg net>
Cc: "full-disclosure" <full-disclosure () lists grok org uk>
Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com

On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group <lists () yehg net

wrote:
According to xssed.com,  there are two remaining XSS issues:

https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //


You guys know our disclosed issues are very simple and can easily be
found through viewing HTML/JS source codes and simple Google Hacking

(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.m
cafee.com).

However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
http://www.cenzic.com/company/management/khera/,  according to
Network
World News editor - Ellen Messmer.  Thus, the next target is Cenzic
web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
is.
Too funny.... I wonder is Aaron Barr is consulting for Cenzic.

Jeff

[SNIP]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]