Comments on: New technique to perform universal website hijacking

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Thu, 02 Oct 2008 21:26:25 +0000

@maxdj: can’t comment on any details yet unfortunately :(

By: maxdj

maxdj — Tue, 30 Sep 2008 15:06:41 +0000

Hi, Is it by chance related to Web security gateway software (Web filtering), aka Internet content-control ?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Fri, 26 Sep 2008 19:40:22 +0000

@ax0n: no, my finding is not related with those advisories you mentioned.

By: ax0n

ax0n — Thu, 25 Sep 2008 00:37:39 +0000

I know some of my favorite vuln finds are serendipitous ones. That’s always awesome.

On a side note, your finding wouldn’t happen to have anything to do with the huge pile of Cisco advisories that went out today, would it?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Wed, 24 Sep 2008 07:26:27 +0000

Sure there is always a possibility that someone else can find the same vulnerability. I wouldn’t be so naive to think I’m the only one who found it.

However, I must warn you that this vuln is a *weird one*. In fact I discovered it by pure accident. I’m planning to explain what lead me to discover it at HITBSecConf, because it’s actually kind of a funny story ;)

By: FilipM

FilipM — Tue, 23 Sep 2008 06:18:47 +0000

You’re right, I should have been more clear. I ment selling it to irresponsible groups or individuals who have some bad intentions with it.

What about my concern? I know it’s possibly impossible to answer correct, but if you have to make a guess, what are the chances that this vuln is already found (and abused) by someone else?
Without revealing the details on howto, is there a way to check if someone has been a victim of the vuln? Or are there no traces at all?
As you can notice, you post scared the sh*t out of me :oÞ

By: ax0n

ax0n — Tue, 23 Sep 2008 03:49:39 +0000

I’d not think listing the vendor would fall into the realm “irresponsible disclosure” and I understand that disclosure is tricky business, and selling vulnerabilities is NOT always a bad thing.

I’ve deployed many different solutions for customers, so there’s a good chance I have a client whose dick is hanging in the breeze because of this. I just don’t know which one(s). HITBSecConf is a long ways off. And people wonder why I get 15 hours of sleep per week.

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Mon, 22 Sep 2008 20:35:44 +0000

@FlipM: we shouldn’t turn selling a vulnerability into a synonym for irresponsible disclosure. There are several *responsible* vulnerability disclosure programs which pay researchers. ZDI for instance is the one I used, which reported the vulnerability I found to the vendor. Of course, the details will only be available once a fix is released.

By: FilipM

FilipM — Mon, 22 Sep 2008 10:21:00 +0000

@NurBo: At least Adrian is taking the appropriate steps after finding vulnerabilities, instead of abusing (or even selling!) them.

But I am concerned. If Adrian found this one, who else found the same? And when? Did someone already abused any of my systems? We’ll know after HITBSecConf Malaysia…

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sun, 21 Sep 2008 10:06:09 +0000

guys, as I said I can’t provide full details at this point, even though I would love to! I simply wanted to share what I could regarding the new material which I will present at HITBSecConf Malaysia.

By: pdp

pdp — Sun, 21 Sep 2008 09:33:04 +0000

There will never be a good way of disclosing vulnerabilities! At least we try to give you the heads up that an issue exists. The more inform you are the better decisions you can make.

By: NurBo

NurBo — Sun, 21 Sep 2008 02:29:20 +0000

why tell us about something if your not going to share thats like saying heres some new shoes but you can’t wear them.

By: ax0n

ax0n — Sat, 20 Sep 2008 23:03:26 +0000

From a responsible disclosure standpoint, I would much rather have gotten the name of a product family than a list of bad stuff that this vulnerability exposes users to. Now I have to sit around wondering if any of the firewall appliances I’ve deployed are “the one” and throw extra wide-spectrum effort at the problem despite if I’m actually affected or not.

By: randomer

randomer — Sat, 20 Sep 2008 20:27:51 +0000

I bet it’s Agnitum Outpost firewall.

By: N

Sat, 20 Sep 2008 18:41:47 +0000

cisco pix?