GOBBLES Reflection on the msn666 Hole

From: gobblesat_private
Date: Sat Jun 15 2002 - 09:33:02 PDT

  • Next message: patpro: "Re: IE 5.-6 CSS parsing error"

    Hash: SHA1
    On Thursday, June 13th, a mail appeared on the Bugtraq (do not confuse with Bugtraq.org) mailing list titled, "Sensitive IM Security - MSN Message Sniffing".  Someone brought it to our attention on IRC (greets to all our friends in #!GOBBLES, and all our friends who have been with us there), and we took a look at the code.
    A few minute later, we sent the author email concerning the insecure sscanf() statement in his code, and suggested that he fix it (along with many other problems in the code).  His response: "There is no problem."  One of his friends, from underground.co.kr, suggested to us that this was an intentional feature, and that there had already been discussion of comprimising hosts, targetted from the IP's in the access_log's.
    We then immediately wrote up an advisory/alert and sent it out to the mailing lists.  We received immediate criticism.  This is expected however, for any of our actions.  We're doing a good job of making friends in this security world, although we are quite famous, and in the end that's really all that matters.
    Soon, the author of the msn666 posted to the mailing lists stating "there is no problem", and also indicating that even if there was a bug, it woudln't be significant because no one will "use this as a server like apache or mysql", which is quite nonsensical to us.  It's a sniffer, not a daemon.  Look at the massive (in)security history with tcpdump -- again, not a daemon, but a process that can be _REMOTELY_EXPLOITED_.
    After this dialouge, we quickly wrote up a second advisory, and published a fully working proof-of-concept exploit.  And yet, the author continues to deny the existance of a bug.
    Look, if it wasn't actually a "backdoor", and was just lame coding, we apologize for the statements we made, and will give your underground.or.kr friend hell for lying to us about your true motivations.  However, seeing as how you've handled it since then, it'll be hard to convince us that we're wrong -- logic is on our side.
    As of today, the hole is still present in msn666.  Maybe it'll get patched.
    GOBBLES Security
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com
    -----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Sat Jun 15 2002 - 12:44:29 PDT