Full Disclosure mailing list archives
@(#)Mordred Labs security notice - exploring the honeypot(s) in the wild
From: Sir Mordred <mordred () s-mail com>
Date: Sat, 10 May 2003 06:54:41 +0000
// @(#)Mordred Labs security notice 0x0003 Name: Exploring the honeypot(s) in the wild Release date: May 10, 2003 Author: Sir Mordred (mordred () s-mail com) I. INTRODUCTION This is a second part of the security notice devoted to security companies. Then why its called "Exploring the honeypots in the wild"? Well, its simple, when i visited http://xfiw.iss.net and have read: <quote> As a normal course of their research, the ISS X-Forceā¢ places servers on the Internet to monitor hacker activity, propagation of Internet worms and to serve as targets for attack. These servers are known as honeypots. In some cases, honeypots are purposely left insecure and mis-configured. Some honeypots are "visible" to the public via web servers and web pages that are placed on the servers. All of ISS honeypots are constantly monitored by the X-Force to better understand widely used hacking tools and techniques, but to also to identify new attack routines and vulnerabilities. Several X-Force personnel are members of the Honeynet Research Alliance. </quote> i laughed myself into fits and because of this nice quote i decided to devote the whole notice to ISS. After reading this notice you should clearly understand several important points: 1) all of the ISS public servers are honeypots (i.e. serve as target for attack), which in all cases "purposely left insecure and mis-configured" 2) not just several, but all of the X-Force personnel, including ISS tech personnel, including their admins/programmers are members of the Honeypost Research Alliance, so the notice should make you think twice before acquiring ISS service, because you probably dont want your system to be just another honeypot on the net. 3) the notice will make to look some of the people as assholes, sorry for that. 4) the notice will show how is the security audit looks like, web app audit in particular, so i expect many security expers and pen-testers will be highly suprised when they will hear that the security audit is not just nmaping/nessusing/whiskering the target system. 5) it seems that some ISS web developers never heard about try { lame code here } catch(Throwable t) {} trick, maybe some Java tutorial like http://www.tutorialbooks.com/for_dummies_idiots_guides/subjects/java_tutoria l.htm would very be helpful ... wait, what? ... damn, i forgot that this is a honeypot! and it is "purposely left insecure and mis-configured"... As always, the format for vulnerabilities is: <number>) [hostname, the company name] quotes, comments (if exists) * ISSUE <number> - description of the vulnerability blank line comments (if exists) blank line the url to demonstrate this vulnerability blank line the error message (if exists) II. DETAILS [ www.iss.net, Internet Security Systems Inc. ] * ISSUE 1 - Multiple CSS vulnerabilities I will not describe all of the CSS (there are too many of them) vulnerabilities here, just one example. http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=">[JAVASCRIP T]<" * ISSUE 2 - Path disclosure in /issEn/delivery/eventdetails.jsp http://www.iss.net/issEn/delivery/eventdetails.jsp?BV_EngineID=ccccadchmgkkk jdcgencfhidglgdgij.0&oid=1 Script /opt/bvvar/english/scripts/delivery/eventdetails.jsp failed, reason: cnt.get has no properties * ISSUE 3 - Path disclosure in /issEn/delivery/eventscalendar.jsp http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=EM' Script /opt/bvvar/english/scripts/delivery/eventscalendar.jsp failed, reason: eventlist has no properties * ISSUE 4 - SQL injection in /issEn/MYISS/EditInfo.jhtml https://www.iss.net/issEn/MYISS/EditInfo.jhtml?sid=s' Received an exception: Error: SQLException java.sql.SQLException: ORA-01756: quoted string not properly terminated * ISSUE 5 - SQL injection in /issEn/DLC/evalForm.jhtml https://www.iss.net/issEn/DLC/evalForm.jhtml?sid=s' Received an exception: Error: SQLException java.sql.SQLException: ORA-01756: quoted string not properly terminated ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com
Current thread:
- @(#)Mordred Labs security notice - exploring the honeypot(s) in the wild Sir Mordred (May 09)
- Re: @(#)Mordred Labs security notice - exploring the honeypot(s) in the wild Darren Reed (May 09)
- <Possible follow-ups>
- @(#)Mordred Labs security notice - exploring the honeypot(s) in the wild Sir Mordred (May 10)