[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Microsoft.fr web defacement - misconfiguration or zero-day exploit?

From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Microsoft.fr web defacement - misconfiguration or zero-day exploit?
Date: Tue, 20 Jun 2006 13:17:10 -0400

------=_Part_97037_30213505.1150823830926
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

While the info gathered from the defacer **may** be the truth, I am always a
bit skeptical in trusting what these folks have to say.  Way too much
tempation for them to want to brag about new 0-day sploits that they
found...

I guess I have been watching a bit too much of the Law and Order re-runs on
TNT, but I envision a cross-examination with this TIThack suspect where DA
McCoy states for the jury -

"So, Mr. TIThack, you broke into the Microsoft site and defaced the
webpage.  You then, contacted Zone-H to notify them of the successful
defacement.  When filling out the zone-h notification form, you specified
"web server intrusion" when you could have provided more specific details.
So, you are a criminal and a liar and now you want us to take your word on
the details you have laid out concerning the allegded .NET Nuke script?"

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 6/20/06, Gaetano Zappulla <gaetano@bacarospo.net> wrote:
>
> Hayes, Bill ha scritto:
> > Was the recent Microsoft.fr web defacement aided by site
> > misconfiguration or an IIS 6.0 zero-day exploit?  Any clues?
> >
>
> http://www.zone-h.org/content/view/4770/31/
>
> "The attacker revealed that he exploited a .net script 0day
> vulnerability after discovering that expert.microsoft.fr had installed
> and was running a vulnerable .net nuke script."
>
> you can put back the defcon to 5 ;)
>
> -g
>
>
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

------=_Part_97037_30213505.1150823830926
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div>While the info gathered from the defacer **may** be the truth, I am always a bit skeptical in trusting what these folks have to say.&nbsp; Way too much tempation for them to want to brag about new 0-day sploits that they found...
</div>
<div>&nbsp;</div>
<div>I&nbsp;guess I have been watching a bit too much of the Law and Order re-runs on TNT, but I envision a cross-examination with this TIThack suspect where DA McCoy states for the jury -</div>
<div>&nbsp;</div>
<div>&quot;So, Mr. TIThack, you broke into the Microsoft site and defaced the webpage.&nbsp; You then, contacted Zone-H to notify them of the successful defacement.&nbsp; When filling out the zone-h notification form, you specified &quot;web server intrusion&quot; when you could have provided more specific details.&nbsp; So, you are a criminal and a liar and now you want us to take your word on the details you have laid out concerning the allegded .NET Nuke script?&quot;
</div>
<div>&nbsp;</div>
<div>-- <br>Ryan C. Barnett<br>Web Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project Lead<br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing Web Attacks with Apache<br>
<br>&nbsp;</div>
<div><span class="gmail_quote">On 6/20/06, <b class="gmail_sendername">Gaetano Zappulla</b> &lt;<a href="mailto:gaetano@bacarospo.net";>gaetano@bacarospo.net</a>&gt; wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hayes, Bill ha scritto:<br>&gt; Was the recent <a href="http://Microsoft.fr";>Microsoft.fr</a> web defacement aided by site
<br>&gt; misconfiguration or an IIS 6.0 zero-day exploit?&nbsp;&nbsp;Any clues?<br>&gt;<br><br><a href="http://www.zone-h.org/content/view/4770/31/";>http://www.zone-h.org/content/view/4770/31/</a><br><br>&quot;The attacker revealed that he exploited a .net script 0day
<br>vulnerability after discovering that <a href="http://expert.microsoft.fr";>expert.microsoft.fr</a> had installed<br>and was running a vulnerable .net nuke script.&quot;<br><br>you can put back the defcon to 5 ;)<br><br>
-g<br><br><br><br>----------------------------------------------------------------------------<br>The Web Security Mailing List:<br><a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/
</a><br><br>The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/archive/";>http://www.webappsec.org/lists/websecurity/archive/</a><br><a href="http://www.webappsec.org/rss/websecurity.rss";>
http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div>&nbsp;

------=_Part_97037_30213505.1150823830926--

References:
- [WEB SECURITY] Microsoft.fr web defacement - misconfiguration or zero-day exploit?
  - From: Hayes, Bill
- Re: [WEB SECURITY] Microsoft.fr web defacement - misconfiguration or zero-day exploit?
  - From: Gaetano Zappulla

Prev by Date: Re: [WEB SECURITY] Microsoft.fr web defacement - misconfiguration or zero-day exploit?
Next by Date: [WEB SECURITY] Yahoo Multiple Vulnerabilities Authentication Bypass, Session Binding, Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection
Previous by thread: Re: [WEB SECURITY] Microsoft.fr web defacement - misconfiguration or zero-day exploit?
Next by thread: RE: [WEB SECURITY] WebScurity should chime in with some facts
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site