Re: Vulnerabilities in *McAfee.com

[Cal Leeming <cal () foxwhisper co uk>]

On Wed, Mar 30, 2011 at 8:29 PM, Ryan Sears <rdsears () mtu edu> wrote:

> How about the scenario in which one statically audit's some javascript
> sitting on a site, to notice it does something in an unsafe manner, and can
> be used in a XSS attack without actually making it happen?. There was no
> actual 'attacking' done, but there was still a vulnerability discovered. Is
> THAT considered an illegal act? Is putting a '<3' into a web form/comment
> section considered attacking it if you look at the source to see how the
> character translated? What if you just wanted to make an ascii heart? My
> point is it's a very blurry line, and there are a lot of scenarios where one
> may discover a vulnerability without even having to do anything.

Like with most laws, the key point is "intent". If your intention was
clearly not malicious, then you are safe.


> As for the source code disclosures, there was absolutely no 'attacking'
> done. This was a huge oversight in the site devs, and they were giving that
> information to anyone who requested it, plain and simple. What about the
> Tumblr incident that happened a while ago? Just because they screwed up a
> production script, they ended up leaking massive amounts of internal
> infrastructure details, as well as private API keys, and other stuff that
> could be used for nefarious means. Is it illegal to visit that page? I think
> not, as THEY were putting the information out there (albeit by accident),
> but I as a user have no way to know that.
>
> I understand what you're saying about them not asking people to look for
> bugs, but it IS the internet. Companies don't typically ask external people
> to audit their executables either, but people do it for a number of reasons
> (mainly education).
>
> If they leave their site up, people will potentially poke at it. That's
> just the way it is. If I have a vested interest in a company (be it monetary
> or simply supporting it's cause), I personally want to see the site
> flourish, because I am then a part of that site. I want to make sure that my
> personal information is protected, and if I do find a bug somewhere, I
> report it. I recently found a XSS in OpenDNS's landing page, and they were
> very appreciative, very professional, and prompt to respond. This made me
> WANT to work with them further to ensure that their infrastructure was
> hardened to other forms of attack as well. I don't disclose these sorts of
> issues publicly, because I give the developers a chance to fix it, and in my
> past experience most companies are happy that I reported an issue, because I
> could have just as easily not said anything. If it does come down to it
> though, I follow my own public disclosure policy (
> http://talesofacoldadmin.com/disclosure.html) based off Rain Forest
> Puppy's. It basically just asks for somewhat consistent lines of
> communication after I disclose something. If the communication drops (or is
> non-existent), then it's at my own discretion to disclose it in a public
> forum.
>
> I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but
> if choosing to disclose something (even in private) means potential legal
> troubles, then that takes away the motivation for me to disclose it in any
> form. I'm still going to be finding bugs for my own educational purposes,
> but I'll just stop disclosing them. That in itself starts to undermine the
> internet as a whole, leading to the restriction of information exchange,
> which is appalling.
>
> It IS technically illegal to do these sorts of tests without consent, but
> at what point DOES it become a 'test'? There's some cases, granted, in which
> the intention is clear (testing for blind SQL injections, etc) as they leave
> a huge footprint, but there's no explicitly clear line in which it becomes
> illegal. Is adding a ' to my name illegal? What if my 70+ year old
> grandmother did it by accident? Could she be persecuted as well? You can't
> apply the law to only some situations and not others.
>
> I also point you to one of my favorite XKCD's => http://xkcd.com/327/
>
> Is naming your kid something like that technically illegal? Then that
> starts getting into free-speech issues, which are most certainly protected
> by the constitution. If I want my name to be "Ann <!@#$%^&*()> Hero", and
> the site doesn't explicitly tell me I can't do so, then how can I be
> expected to reasonably know where their boundaries are? I don't see any
> terms of use for using their website anywhere.
>
> This is all just my opinion though, and sorry for the long message!
>
> Ryan
>
> ----- Original Message -----
> From: "Thor (Hammer of God)" <thor () hammerofgod com>
> To: "Ryan Sears" <rdsears () mtu edu>, noloader () gmail com
> Cc: "full-disclosure" <full-disclosure () lists grok org uk>
> Sent: Wednesday, March 30, 2011 2:12:37 PM GMT -05:00 US/Canada Eastern
> Subject: RE: [Full-disclosure] Vulnerabilities in *McAfee.com
>
> Well, I think there is a flip side to this, and that is the fact that no
> one is asking these people to inspect their sites for vulnerabilities.
> They are taking it upon themselves to scan the sites actively looking for
> vulnerabilities for the sole purpose of exposing them.  They may say that
> they are doing it "to ensure that the vendors fix their problems" but it's
> not really any of their business to do so.
>
> I think someone would be hard pressed to justify (defend) their actions
> when they basically "attack" a site that they don't own, without permission,
> with the express intent of finding a vulnerability.  That's the difference
> between a "test" and an "attack."   It doesn't matter how trivial their
> finds are, or what the outcome of the scan is, it is the fact that no one
> asked, nor wants them to do this.
>
> Technically, what they are doing is in fact illegal - in the US anyway.
> So there is another aspect of this that deserves some discussion, I think.
>
> t
>
>
> > -----Original Message-----
> > From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
> > bounces () lists grok org uk] On Behalf Of Ryan Sears
> > Sent: Wednesday, March 30, 2011 10:45 AM
> > To: noloader () gmail com
> > Cc: full-disclosure
> > Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
> >
> > Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that
> matter),
> > if anyone should understand that a XSS should really only be construed a
> > 'criminal act' if it's indeed used to attack someone. If a group is taking
> the time
> > out of their day to find and disclose issues to Mcafee, they should
> probably be
> > thankful. What about finding a vulnerability in Mcafee's virus scanner?
> Could
> > that be construed as a 'criminal act' if they disclose it? Where do you
> draw the
> > line?
> >
> > Basically this sort of thing pushes the community into silence until
> something
> > truly criminal happens. I'm not saying give anyone massive amounts of
> credit
> > for publishing a few XSS bugs (because there's millions of them out
> there),
> > but don't label them as a criminal for trying to help. That's just idiotic
> IMO.
> > If you run an enterprise level solution for antivirus AND web
> vulnerability
> > testing, the community understands that it's a process not unlike any
> other.
> > There will be bugs, but it only demolishes the image of Mcafee to see them
> > handle it like this in particular. If they would have been appreciative
> about it,
> > and promptly fixed their website (or at the very least maintained friendly
> > contact) this incident would have pretty much gone un-noticed.
> >
> > Look at LastPass as an example.
> >
> > http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html
> >
> > They had someone poking at their site, who managed to find a XSS bug using
> > CRLF injections. They were appreciative of the find, 2.5 hrs later the
> issue was
> > fixed, and there was that blog post about exactly what they were going to
> do
> > about it. They took full responsibility for the fact that THEIR coding was
> to
> > blame, and basically said 'This is what happened, and this is why it will
> > probably never happen again'. This spoke hugely to me (as I'm sure it did
> the
> > rest of the community) because it shows a company that's willing to admit
> it
> > made a mistake, as opposed to sitting on their haunches and blaming people
> > for looking for these sorts of bugs. Oh and not every customer of their
> service
> > has to pay massive licensing fees, as there's a free version as well. In
> my mind
> > at least this equates to a company that cares more about their customers
> that
> > don't pay a single dime, then a company who forces people to pay massive
> > amounts of coin for shaky automated scanning and services. That's just the
> > way I see it though.
> >
> >
> > Someone's gotta tell the emperor he has no clothes on.
> >
> > Ryan
> >
> > ----- Original Message -----
> > From: "Jeffrey Walton" <noloader () gmail com>
> > To: "YGN Ethical Hacker Group" <lists () yehg net>
> > Cc: "full-disclosure" <full-disclosure () lists grok org uk>
> > Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern
> > Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
> >
> > On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group <lists () yehg net
> >
> > wrote:
> > > According to xssed.com,  there are two remaining XSS issues:
> > >
> > > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> > > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> > >
> > >
> > > You guys know our disclosed issues are very simple and can easily be
> > > found through viewing HTML/JS source codes and simple Google Hacking
> > (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.m
> > cafee.com).
> > > However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
> > > http://www.cenzic.com/company/management/khera/,  according to
> > Network
> > > World News editor - Ellen Messmer.  Thus, the next target is Cenzic
> > > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
> > > is.
> > Too funny.... I wonder is Aaron Barr is consulting for Cenzic.
> >
> > Jeff
> >
> > > > [SNIP]
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/