Re: [Full-disclosure] Universal Website Hijacking by Exploiting Firewall Content Filtering Features + SonicWALL firewalls 0day
Sure, this attack vector has been 'discovered' by lots of people in
the past, or even concurrently, thats my point. It doesn't merit a
whole paper on it. Not to mention you're getting on the FUD/Kaminsky
bandwagon when GNUtards release a statement like 'New technique to
universally hijack websites', trying to get some media attention for
something everyone else already knew.
re: the bluecoat vuln, if you read my post I just said it was a recent
(or as you might put it, *recent*) example of this type of
vulnerability. I've this sort of vuln myself with client software and
so has a number of other people I know. Glad to see the majority of
your email is completely irrelevant.
2008/11/1 Adrian P <unknown.pentester@xxxxxxxxx>:
> Hello Fionnbharr,
>
> Please see my response to your comments in-line.
>
> On Fri, Oct 31, 2008 at 8:31 AM, Fionnbharr <thouth@xxxxxxxxx> wrote:
>> This isn't new. It isn't even a technique.
>>
>> http://www.bluecoat.com/support/securityadvisories/icap_patience
>>
>> A very recent example of this kind of vulnerability. My god you
>> gnucitizen people are retarded. At least you didn't give it a
>> ridiculous name like 'clickjacking'. Can you GNUtards please keep your
>> 'research' into subjects people already know to yourself or at least
>> not post it the lists, then at least I won't have to see it.
>
> That Bluecoat advisory was released on 29 September 2008. What makes
> you think that I did not discover the SonicWALL vulnerability/vector
> and reported it to ZDI *way before* that date? Well, FYI I reported it
> to ZDI in June 2008 and discovered it even before.
>
> At least, you should consider the possibility of the attack vector
> being discovered by two researchers concurrently. It can take quite a
> few months before the vendor provides a patch, not to mention that
> SonicWALL was VERY slow to confirm the vulnerability.
>
> Don't you know that responsible disclosure means that the details of a
> vulnerability can be held for quite a while before being released to
> the public? Since when the publishing date of an advisory is equal to
> discovery date?
>
> Furthermore, it appears that Bluecoat only released their advisory
> *after* the researcher jplopezy made his advisory public, which could
> suggest that he did NOT inform the vendor before releasing the
> details:
>
> http://www.securityfocus.com/archive/1/496940/30/0/threaded
>
> It's also interesting that the researcher released the advisory
> (bugtraq post) one day *after* I published the general description of
> the attack:
>
> June 25th, 2008.
> ZDI forwards my findings to SonicWALL (see "Disclosure Timeline"):
> http://www.zerodayinitiative.com/advisories/ZDI-08-070/
>
> September 20th, 2008.
> I publish the general description of the attack:
> http://www.gnucitizen.org/blog/new-technique-to-perform-universal-website-hijacking/
>
> September 21th, 2008.
> Researcher jplopezy finds the same attack vector on BlueCoat's web filter:
> http://www.securityfocus.com/archive/1/496577/30/0/threaded
>
> Notice jplopezy published the bugtraq post *one day after* I published
> the general attack description on GNUCITIZEN. Interesting?
>
> Please do your homework before many any accusations.
>
>>
>> Also "Malaysia: Cracking into Embedded Devices and Beyond!", who the
>> fuck uses the word 'cracking' instead of 'hacking' in 2008? Sure for
>> cracking passwords, but wow.
>
> Can't you accept the idea some some of us still consider hacking and
> breaking into a system not necessarily the same thing?
>
> Regards,
> ap.
>
>>
>> 2008/10/31 Adrian P <unknown.pentester@xxxxxxxxx>:
>>> Hello folks,
>>>
>>> Yesterday, I presented for the first time [1] a new method to perform
>>> universal website hijacking by exploiting content filtering features
>>> commonly supported by corporate firewalls. I briefly discussed [2] the
>>> finding on GNUCITIZEN in the past without giving away the details, but
>>> rather mentioning what the attacker can do and some characteristics of
>>> the attack.
>>>
>>> Anyway, I'm now releasing full details on how the technique works, and
>>> a real 0day example against SonicWALL firewalls.
>>>
>>> The paper can be found on the GNUCITIZEN labs site. Please let me know
>>> if you can successfully use the same technique against firewalls by
>>> other vendors:
>>>
>>> http://sites.google.com/a/gnucitizen.org/lab/research-papers
>>>
>>> Finally, I'd like to thank Zero Day Initiative [3] for their great
>>> work and the Hack in the Box crew for organizing such a fine event!
>>>
>>> Regards,
>>> ap.
>>>
>>> REFERENCES
>>>
>>> [1] "HITBSecConf2008 - Malaysia: Cracking into Embedded Devices and Beyond!"
>>> http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=186
>>>
>>> [2] "New technique to perform universal website hijacking"
>>> http://www.gnucitizen.org/blog/new-technique-to-perform-universal-website-hijacking/
>>>
>>> [3] "SonicWALL Content-Filtering Universal Script Injection Vulnerability"
>>> http://www.zerodayinitiative.com/advisories/ZDI-08-070/
>>>
>>> --
>>> Adrian "pagvac" Pastor | GNUCITIZEN
>>> gnucitizen.org
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>