From: Sir Mordred (mordred@s-mail.com)
To: full-disclosure@lists.netsys.com
Date: Sat, 10 May 2003 03:00:38 +0000
Subject: [Full-Disclosure] @(#)Mordred Labs security notice - exploring the honeypot(s) in the wild

// @(#)Mordred Labs security notice 0x0003

Name: Exploring the honeypot(s) in the wild
Release date: May 10, 2003
Author: Sir Mordred (mordred@s-mail.com)

I. INTRODUCTION

This is a second part of the security notice devoted to security companies.

Then why its called "Exploring the honeypots in the wild"?
Well, its simple, when i visited http://xfiw.iss.net and have read:


As a normal course of their research, the ISS X-Forceā^Ä¢ places servers on
the Internet to monitor hacker activity, propagation of Internet worms and to serve as
targets for attack. These servers are known as honeypots. In some cases, honeypots are
purposely left insecure and mis-configured. Some honeypots are "visible" to the public via web
servers and web pages that are placed on the servers. All of ISS honeypots are constantly
monitored by the X-Force to better understand widely used hacking tools and techniques, but to also
to identify new attack routines and vulnerabilities. Several X-Force personnel are members of the
Honeynet Research Alliance.


i laughed myself into fits and because of this nice quote i decided to
devote the whole notice to ISS.
After reading this notice you should clearly understand several important
points:

1) all of the ISS public servers are honeypots (i.e. serve as target for
attack), which in all cases "purposely left insecure and mis-configured"

2) not just several, but all of the X-Force personnel, including ISS tech
personnel, including  their admins/programmers are members of the Honeypost Research
Alliance, so the notice should make you think twice before acquiring ISS service,
because you probably dont want your system to be just another honeypot on the net.

3) the notice will make to look some of the people as assholes, sorry for
that.

4) the notice will show how is the security audit looks like, web app audit
in particular, so i expect many security expers and pen-testers will be highly suprised
when they will hear that the security audit is not just nmaping/nessusing/whiskering 
the target system.

5) it seems that some ISS web developers never heard about try { lame code
here } catch(Throwable t) {} trick, maybe some Java tutorial like
http://www.tutorialbooks.com/for_dummies_idiots_guides/subjects/java_tutoria
l.htm would very be helpful ... 
wait, what? ... damn, i forgot that this is a honeypot! and it is
"purposely left insecure and mis-configured"...

As always, the format for vulnerabilities is:

) [hostname, the company name]
quotes, comments (if exists)
* ISSUE  - description of the vulnerability
blank line
comments (if exists)
blank line
the url to demonstrate this vulnerability
blank line
the error message (if exists)


II. DETAILS

[ www.iss.net, Internet Security Systems Inc. ]

* ISSUE 1 - Multiple CSS vulnerabilities

I will not describe all of the CSS (there are too many of them)
vulnerabilities here, just one example.

http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode="><"

* ISSUE 2 - Path disclosure in /issEn/delivery/eventdetails.jsp

http://www.iss.net/issEn/delivery/eventdetails.jsp?BV_EngineID=ccccadchmgkkk
jdcgencfhidglgdgij.0&oid=1

Script /opt/bvvar/english/scripts/delivery/eventdetails.jsp failed, reason:
cnt.get has no properties 

* ISSUE 3 - Path disclosure in /issEn/delivery/eventscalendar.jsp

http://www.iss.net/issEn/delivery/eventscalendar.jsp?regioncode=EM'

Script /opt/bvvar/english/scripts/delivery/eventscalendar.jsp failed,
reason: eventlist has no properties 

* ISSUE 4 - SQL injection in /issEn/MYISS/EditInfo.jhtml

https://www.iss.net/issEn/MYISS/EditInfo.jhtml?sid=s'

Received an exception:
Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
properly terminated  

* ISSUE 5 - SQL injection in /issEn/DLC/evalForm.jhtml

https://www.iss.net/issEn/DLC/evalForm.jhtml?sid=s'

Received an exception:
Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
properly terminated  





main page ATTRITION feedback