[Full-disclosure] [Security Advisory] Backdoor Discovered in Immunity Debugger

[goudatr0n]

Infosec researchers with the Greater Alliance of PHP
Programmers, headed by goudatr0n and in cooperation
with David Marcus, have discovered a backdoor in the
new Immunity Debugger. 

1. PRODUCTS AFFECTED
Immunity Debugger (Immunity Security,
http://www.immunitysec.com/products-immdbg.shtml), All
Versions

2. OVERVIEW
The Immunity Debugger contains a backdoor that emails
session history, running applications and other system
information (location, IP address, machine Owner Name)
to
 an email address at immunitysec.com

3. ANALYSYS
Immunity Security provides a lightweight debugger for
Windows, presumably to aid in discovering 0-day
security vulnerabilities. The debugger is distributed
freely on
the immunitysec.com website, requiring the user to
register when they download it.

Presumably, this debugger is intended to be used by
people searching for weaknesses in various proprietary
products, due to the unsafe nature of how they are
develope
d, where the source is not frequently audited. Since
David Aitel is an attention whore who only is rivaled
by Gadi Evron, and his lack of skills as evident,
Immunity
Security is only able to reveal 0-days by stealing
them from other hackers attempting to find them.

The backdoor emails detailed system information, along
with detailed debugging session information. In one
such email that was intercepted, it was seen that the
entir
e session was attached, as well as the Owner Name,
external IP address, a list of running services and
their versions.

4. SOLUTION
Do not trust Immunity Security's debugger. They will
steal your 0-day and parade it around like they are
the ones who discovered it. This will only continue to
feed i
nto David Aitel's massive ego, compensating for his
tiny penis.

BROUGHT TO YOU BY GOUDATR0N AND THE GREATER ALLIANCE
OF PHP PROGRAMMERS
DON'T BE DUMB
BE A SMARTY
COME AND JOIN
THE PISS PARTY

goudatr0n can be found online at irc.perl.org #perl
using the nick TimToady.


  Ask a question on any topic and get answers from real people. Go to 
Yahoo! Answers and share what you know at http://ca.answers.yahoo.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in Immunity Debugger

[Jared DeMott]

Dave, is any of this true?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in Immunity Debugger

[nnp]

Code location or it didn't happen.

On 8/9/07, goudatr0n <[EMAIL PROTECTED]> wrote:
> Infosec researchers with the Greater Alliance of PHP
> Programmers, headed by goudatr0n and in cooperation
> with David Marcus, have discovered a backdoor in the
> new Immunity Debugger.
>
> 1. PRODUCTS AFFECTED
> Immunity Debugger (Immunity Security,
> http://www.immunitysec.com/products-immdbg.shtml), All
> Versions
>
> 2. OVERVIEW
> The Immunity Debugger contains a backdoor that emails
> session history, running applications and other system
> information (location, IP address, machine Owner Name)
> to
>  an email address at immunitysec.com
>
> 3. ANALYSYS
> Immunity Security provides a lightweight debugger for
> Windows, presumably to aid in discovering 0-day
> security vulnerabilities. The debugger is distributed
> freely on
> the immunitysec.com website, requiring the user to
> register when they download it.
>
> Presumably, this debugger is intended to be used by
> people searching for weaknesses in various proprietary
> products, due to the unsafe nature of how they are
> develope
> d, where the source is not frequently audited. Since
> David Aitel is an attention whore who only is rivaled
> by Gadi Evron, and his lack of skills as evident,
> Immunity
> Security is only able to reveal 0-days by stealing
> them from other hackers attempting to find them.
>
> The backdoor emails detailed system information, along
> with detailed debugging session information. In one
> such email that was intercepted, it was seen that the
> entir
> e session was attached, as well as the Owner Name,
> external IP address, a list of running services and
> their versions.
>
> 4. SOLUTION
> Do not trust Immunity Security's debugger. They will
> steal your 0-day and parade it around like they are
> the ones who discovered it. This will only continue to
> feed i
> nto David Aitel's massive ego, compensating for his
> tiny penis.
>
> BROUGHT TO YOU BY GOUDATR0N AND THE GREATER ALLIANCE
> OF PHP PROGRAMMERS
> DON'T BE DUMB
> BE A SMARTY
> COME AND JOIN
> THE PISS PARTY
>
> goudatr0n can be found online at irc.perl.org #perl
> using the nick TimToady.
>
>
>   Ask a question on any topic and get answers from real people. Go to 
> Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
http://www.smashthestack.org
http://www.mastersofthewang.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in?Immunity Debugger]]

[Nicolas Waisman]

Sorry for the delay, I was sorting my database of our users' debugger
sessions, emails, porn pictures, underwear size, etc.

NO, THERE IS NO BACKDOOR AT ALL IN IMMUNITY DEBUGGER. We don't get any
system information or  "debugging sessions" (???) or anything else
weird like that. Immunity
Debugger does make an HTTP connection to Immunity to look for updates
much the way Firefox
or any other modern software updates.

Again, NO, we don't do any data mining.

In any case, thanks for the free advertisement "goudatr0n".

If you are still afraid, here is the list of md5 hashes:
437152d25787a1a06597f387d8f4811f  ImmunityDebugger_setup.exe

00ff5ccf4b35fa9117bef2f23e108f61  Bookmark.dll
20152f8682a9b103ae3e41e1075048a4  Cmdline.dll
1aa2be74e77da0370986222efd794edd  debugger.pyd
88d1df93fdb89dfbf5f9dd9b617ef28e  ImmunityDebugger.exe
10acf61aa4046b1fc8c8e434fbd291d6  ImmunityDebugger.ini
c739f6a204665c05ee75f9b8a4f10d2f  LICENSE.txt
89d432e3e47cb9546bf4d9a91f6fda79  loaddll.exe
7d5221499f25014169d555ea428e6053  uninstall.exe
f102ee2438bf9bdf1e6e84627d927909  updater.exe

Cheers,
Nico



pgpXQ0NssbbBe.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in?Immunity Debugger]]

[monikerd]

md5 is broken in a way that you could make 2 .exe's with the same md5
that do different things ...

Not that i believe you are data mining, would be quite a feat to go
unnoticed
out my network anyway.

Thought I'd point that out, so that maybe we could "like" stop using
md5 in situations where its broken. Otherwise we might just as well
stop calling this a security mailing list.

If you are saying, the files with these md5 hashes are clean, feel free to
test them. You could still have an evil version that you can start
distributing in a while ..

Just thought I'd trow this in as to not have wasted another thread, on
this fine mailinglist... Hell it's august afterall. doesn't really matter
that much :)

cheers
> Sorry for the delay, I was sorting my database of our users' debugger
> sessions, emails, porn pictures, underwear size, etc.
>
> NO, THERE IS NO BACKDOOR AT ALL IN IMMUNITY DEBUGGER. We don't get any
> system information or  "debugging sessions" (???) or anything else
> weird like that. Immunity
> Debugger does make an HTTP connection to Immunity to look for updates
> much the way Firefox
> or any other modern software updates.
>
> Again, NO, we don't do any data mining.
>
> In any case, thanks for the free advertisement "goudatr0n".
>
> If you are still afraid, here is the list of md5 hashes:
> 437152d25787a1a06597f387d8f4811f  ImmunityDebugger_setup.exe
>
> 00ff5ccf4b35fa9117bef2f23e108f61  Bookmark.dll
> 20152f8682a9b103ae3e41e1075048a4  Cmdline.dll
> 1aa2be74e77da0370986222efd794edd  debugger.pyd
> 88d1df93fdb89dfbf5f9dd9b617ef28e  ImmunityDebugger.exe
> 10acf61aa4046b1fc8c8e434fbd291d6  ImmunityDebugger.ini
> c739f6a204665c05ee75f9b8a4f10d2f  LICENSE.txt
> 89d432e3e47cb9546bf4d9a91f6fda79  loaddll.exe
> 7d5221499f25014169d555ea428e6053  uninstall.exe
> f102ee2438bf9bdf1e6e84627d927909  updater.exe
>
> Cheers,
> Nico
>
>   
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in?Immunity Debugger]]

[Andre Gironda]

On 8/9/07, monikerd <[EMAIL PROTECTED]> wrote:
> md5 is broken in a way that you could make 2 .exe's with the same md5
> that do different things ...

yeah seriously... pub the sha1s and md5s both please

or better yet sign it with gpg like mozilla does

dre

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in?Immunity Debugger]]

[monikerd]

No matter what you say, md5 is still broken.

google it "collision attack"

or better yet, wikipedia it:
MD5CRK ended shortly after 17 August
 2004
, when collisions
 for the full MD5 were
announced by Xiaoyun Wang ,
Dengguo Feng, Xuejia Lai , and
Hongbo Yu.^[1]  ^[2]
 Their analytical attack was
reported to take only one hour on an IBM p690
 cluster."

md5 is broken. That way.

And the way it is broken, is the way he is used it.

If you don't understand how md5 is broken, really you don't need to be
on this list.

Really, if anyones netdev, it's you.

cheers, dimwit. Maybe you guys should follow the trends a bit, rather
than, submit
XSS and sql injections in noname websites.



Joey Mengele wrote:
> What the fuck are you talking about?
>
> More importantly, why so many ellipses? You cannot throw off Doctor 
> Neal's algorithms gobbles. Or should I call you n3td3v? Nice try, 
> troll.
>
> J
>
> On Thu, 09 Aug 2007 16:34:30 -0400 monikerd <[EMAIL PROTECTED]> 
> wrote:
>   
>> md5 is broken in a way that you could make 2 .exe's with the same 
>> md5
>> that do different things ...
>>
>> Not that i believe you are data mining, would be quite a feat to 
>> go
>> unnoticed
>> out my network anyway.
>>
>> Thought I'd point that out, so that maybe we could "like" stop 
>> using
>> md5 in situations where its broken. Otherwise we might just as 
>> well
>> stop calling this a security mailing list.
>>
>> If you are saying, the files with these md5 hashes are clean, feel 
>> free to
>> test them. You could still have an evil version that you can start
>> distributing in a while ..
>>
>> Just thought I'd trow this in as to not have wasted another 
>> thread, on
>> this fine mailinglist... Hell it's august afterall. doesn't really 
>> matter
>> that much :)
>>
>> cheers
>> 
>>> Sorry for the delay, I was sorting my database of our users' 
>>>   
>> debugger
>> 
>>> sessions, emails, porn pictures, underwear size, etc.
>>>
>>> NO, THERE IS NO BACKDOOR AT ALL IN IMMUNITY DEBUGGER. We don't 
>>>   
>> get any
>> 
>>> system information or  "debugging sessions" (???) or anything 
>>>   
>> else
>> 
>>> weird like that. Immunity
>>> Debugger does make an HTTP connection to Immunity to look for 
>>>   
>> updates
>> 
>>> much the way Firefox
>>> or any other modern software updates.
>>>
>>> Again, NO, we don't do any data mining.
>>>
>>> In any case, thanks for the free advertisement "goudatr0n".
>>>
>>> If you are still afraid, here is the list of md5 hashes:
>>> 437152d25787a1a06597f387d8f4811f  ImmunityDebugger_setup.exe
>>>
>>> 00ff5ccf4b35fa9117bef2f23e108f61  Bookmark.dll
>>> 20152f8682a9b103ae3e41e1075048a4  Cmdline.dll
>>> 1aa2be74e77da0370986222efd794edd  debugger.pyd
>>> 88d1df93fdb89dfbf5f9dd9b617ef28e  ImmunityDebugger.exe
>>> 10acf61aa4046b1fc8c8e434fbd291d6  ImmunityDebugger.ini
>>> c739f6a204665c05ee75f9b8a4f10d2f  LICENSE.txt
>>> 89d432e3e47cb9546bf4d9a91f6fda79  loaddll.exe
>>> 7d5221499f25014169d555ea428e6053  uninstall.exe
>>> f102ee2438bf9bdf1e6e84627d927909  updater.exe
>>>
>>> Cheers,
>>> Nico
>>>
>>>   
>>> -
>>>   
>> ---
>> 
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>   
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
>
> --
> Click for free info on earning your associates degrees.
> http://tagline.hushmail.com/fc/Ioyw6h4dDtIMuvbiyaeDtNgdqGYaQ0BV2Gxp2W4ixrv2p5NMQoeCjI/
>
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in?Immunity Debugger]]

[Andre Gironda]

On 8/9/07, monikerd <[EMAIL PROTECTED]> wrote:
> cheers, dimwit. Maybe you guys should follow the trends a bit, rather
> than, submit
> XSS and sql injections in noname websites.

i read in some book [guess which one] that ImmunitySec had some
problems with xss in their silica product

dre

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in?Immunity Debugger]]

[Slythers Bro]

the backdoor is named "python"
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/