[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
- To: Ryan Sears <rdsears@xxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
- From: Cal Leeming <cal@xxxxxxxxxxxxxxxx>
- Date: Wed, 30 Mar 2011 20:33:56 +0100
On Wed, Mar 30, 2011 at 8:29 PM, Ryan Sears <rdsears@xxxxxxx> wrote:
>
> How about the scenario in which one statically audit's some javascript
> sitting on a site, to notice it does something in an unsafe manner, and can
> be used in a XSS attack without actually making it happen?. There was no
> actual 'attacking' done, but there was still a vulnerability discovered. Is
> THAT considered an illegal act? Is putting a '<3' into a web form/comment
> section considered attacking it if you look at the source to see how the
> character translated? What if you just wanted to make an ascii heart? My
> point is it's a very blurry line, and there are a lot of scenarios where one
> may discover a vulnerability without even having to do anything.
>
Like with most laws, the key point is "intent". If your intention was
clearly not malicious, then you are safe.
>
> As for the source code disclosures, there was absolutely no 'attacking'
> done. This was a huge oversight in the site devs, and they were giving that
> information to anyone who requested it, plain and simple. What about the
> Tumblr incident that happened a while ago? Just because they screwed up a
> production script, they ended up leaking massive amounts of internal
> infrastructure details, as well as private API keys, and other stuff that
> could be used for nefarious means. Is it illegal to visit that page? I think
> not, as THEY were putting the information out there (albeit by accident),
> but I as a user have no way to know that.
>
> I understand what you're saying about them not asking people to look for
> bugs, but it IS the internet. Companies don't typically ask external people
> to audit their executables either, but people do it for a number of reasons
> (mainly education).
>
> If they leave their site up, people will potentially poke at it. That's
> just the way it is. If I have a vested interest in a company (be it monetary
> or simply supporting it's cause), I personally want to see the site
> flourish, because I am then a part of that site. I want to make sure that my
> personal information is protected, and if I do find a bug somewhere, I
> report it. I recently found a XSS in OpenDNS's landing page, and they were
> very appreciative, very professional, and prompt to respond. This made me
> WANT to work with them further to ensure that their infrastructure was
> hardened to other forms of attack as well. I don't disclose these sorts of
> issues publicly, because I give the developers a chance to fix it, and in my
> past experience most companies are happy that I reported an issue, because I
> could have just as easily not said anything. If it does come down to it
> though, I follow my own public disclosure policy (
> http://talesofacoldadmin.com/disclosure.html) based off Rain Forest
> Puppy's. It basically just asks for somewhat consistent lines of
> communication after I disclose something. If the communication drops (or is
> non-existent), then it's at my own discretion to disclose it in a public
> forum.
>
> I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but
> if choosing to disclose something (even in private) means potential legal
> troubles, then that takes away the motivation for me to disclose it in any
> form. I'm still going to be finding bugs for my own educational purposes,
> but I'll just stop disclosing them. That in itself starts to undermine the
> internet as a whole, leading to the restriction of information exchange,
> which is appalling.
>
> It IS technically illegal to do these sorts of tests without consent, but
> at what point DOES it become a 'test'? There's some cases, granted, in which
> the intention is clear (testing for blind SQL injections, etc) as they leave
> a huge footprint, but there's no explicitly clear line in which it becomes
> illegal. Is adding a ' to my name illegal? What if my 70+ year old
> grandmother did it by accident? Could she be persecuted as well? You can't
> apply the law to only some situations and not others.
>
> I also point you to one of my favorite XKCD's => http://xkcd.com/327/
>
> Is naming your kid something like that technically illegal? Then that
> starts getting into free-speech issues, which are most certainly protected
> by the constitution. If I want my name to be "Ann <!@#$%^&*()> Hero", and
> the site doesn't explicitly tell me I can't do so, then how can I be
> expected to reasonably know where their boundaries are? I don't see any
> terms of use for using their website anywhere.
>
> This is all just my opinion though, and sorry for the long message!
>
> Ryan
>
> ----- Original Message -----
> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> To: "Ryan Sears" <rdsears@xxxxxxx>, noloader@xxxxxxxxx
> Cc: "full-disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>
> Sent: Wednesday, March 30, 2011 2:12:37 PM GMT -05:00 US/Canada Eastern
> Subject: RE: [Full-disclosure] Vulnerabilities in *McAfee.com
>
> Well, I think there is a flip side to this, and that is the fact that no
> one is asking these people to inspect their sites for vulnerabilities.
> They are taking it upon themselves to scan the sites actively looking for
> vulnerabilities for the sole purpose of exposing them. They may say that
> they are doing it "to ensure that the vendors fix their problems" but it's
> not really any of their business to do so.
>
> I think someone would be hard pressed to justify (defend) their actions
> when they basically "attack" a site that they don't own, without permission,
> with the express intent of finding a vulnerability. That's the difference
> between a "test" and an "attack." It doesn't matter how trivial their
> finds are, or what the outcome of the scan is, it is the fact that no one
> asked, nor wants them to do this.
>
> Technically, what they are doing is in fact illegal - in the US anyway.
> So there is another aspect of this that deserves some discussion, I think.
>
> t
>
>
> >-----Original Message-----
> >From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-disclosure-
> >bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Ryan Sears
> >Sent: Wednesday, March 30, 2011 10:45 AM
> >To: noloader@xxxxxxxxx
> >Cc: full-disclosure
> >Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
> >
> >Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that
> matter),
> >if anyone should understand that a XSS should really only be construed a
> >'criminal act' if it's indeed used to attack someone. If a group is taking
> the time
> >out of their day to find and disclose issues to Mcafee, they should
> probably be
> >thankful. What about finding a vulnerability in Mcafee's virus scanner?
> Could
> >that be construed as a 'criminal act' if they disclose it? Where do you
> draw the
> >line?
> >
> >Basically this sort of thing pushes the community into silence until
> something
> >truly criminal happens. I'm not saying give anyone massive amounts of
> credit
> >for publishing a few XSS bugs (because there's millions of them out
> there),
> >but don't label them as a criminal for trying to help. That's just idiotic
> IMO.
> >
> >If you run an enterprise level solution for antivirus AND web
> vulnerability
> >testing, the community understands that it's a process not unlike any
> other.
> >There will be bugs, but it only demolishes the image of Mcafee to see them
> >handle it like this in particular. If they would have been appreciative
> about it,
> >and promptly fixed their website (or at the very least maintained friendly
> >contact) this incident would have pretty much gone un-noticed.
> >
> >Look at LastPass as an example.
> >
> >http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html
> >
> >They had someone poking at their site, who managed to find a XSS bug using
> >CRLF injections. They were appreciative of the find, 2.5 hrs later the
> issue was
> >fixed, and there was that blog post about exactly what they were going to
> do
> >about it. They took full responsibility for the fact that THEIR coding was
> to
> >blame, and basically said 'This is what happened, and this is why it will
> >probably never happen again'. This spoke hugely to me (as I'm sure it did
> the
> >rest of the community) because it shows a company that's willing to admit
> it
> >made a mistake, as opposed to sitting on their haunches and blaming people
> >for looking for these sorts of bugs. Oh and not every customer of their
> service
> >has to pay massive licensing fees, as there's a free version as well. In
> my mind
> >at least this equates to a company that cares more about their customers
> that
> >don't pay a single dime, then a company who forces people to pay massive
> >amounts of coin for shaky automated scanning and services. That's just the
> >way I see it though.
> >
> >
> >Someone's gotta tell the emperor he has no clothes on.
> >
> >Ryan
> >
> >----- Original Message -----
> >From: "Jeffrey Walton" <noloader@xxxxxxxxx>
> >To: "YGN Ethical Hacker Group" <lists@xxxxxxxx>
> >Cc: "full-disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>
> >Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern
> >Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
> >
> >On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group <lists@xxxxxxxx
> >
> >wrote:
> >> According to xssed.com, there are two remaining XSS issues:
> >>
> >> https://kb.mcafee.com/corporate/index?page=content&id="; alert(1); //
> >> https://kc.mcafee.com/corporate/index?page=content&id="; alert(1); //
> >>
> >>
> >> You guys know our disclosed issues are very simple and can easily be
> >> found through viewing HTML/JS source codes and simple Google Hacking
> >>
> >(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.m
> >cafee.com).
> >>
> >> However, it was criticized as 'illegal break-in' by Cenzic's CMO,
> >> http://www.cenzic.com/company/management/khera/, according to
> >Network
> >> World News editor - Ellen Messmer. Thus, the next target is Cenzic
> >> web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
> >> is.
> >Too funny.... I wonder is Aaron Barr is consulting for Cenzic.
> >
> >Jeff
> >
> >>> [SNIP]
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/