                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3e, Phile #0x06 of 0x0f

|=-------------------------=[ Eye on the Spy ]=-------------------------=|
|=----------------------------------------------------------------------=|
|=--------------------------=[ tr4shc4n m4n ]=--------------------------=|


"You shall know the truth and it shall make you mad."
- Aldous Huxley

Phrack High Council Security Advisory 09.10.03:
Exploitable Greed may Result in Disclosure of Vulnerability Information.
September 19, 2003


I. BACKGROUND

iDefense, a Delaware Corporation, is a born-again security company that
sells intelligence to clients, willing to pay exorbitant sums of money
in order to learn what Chinese hackers are doing on IRC or learn about
new vulnerabilities in software packages no one knows about.

Though previously such intentions were considered merely alarming or
simply "laughable," iDefense has decided to overstep its original goal
of merely releasing contributed vulnerability information on behalf of
paid clients and actually release vulnerability information that has
leaked, without the knowledge or approval of the discoverers or exploit
authors. Just such a thing has happened as shown by the recent iD
sadmind vulnerability release. Thanks to HD Moore, the master of
re-constructing tcpdump logs into perl scripts for creating an exploit
for this vulnerability which could then be used by the entire world!


II. DESCRIPTION

iDefense has developed an exploit targeting previously undisclosed
information disclosure vulnerabilities within the Whitehat community.
The exploit works by tempting noted figures within the public
full-disclosure and underground hacking communities with payouts in
exchange for their leaking of vulnerabilities and working exploits to
Dave Endler. 

This exploit is initially delivered by an email from Dave, asking if the
individual is interested in making money from any vulnerabilities that
they have knowledge of for which they have working 0day exploits.

If the individual accepts the message sent from iDefense, they are asked
to disclose to iDefense the nature and effect of the vulnerability. Upon
acceptance of the information by iDefense, an iDefense Labs ID# is
assigned to the individual and a offer (pay0la) is made. Payment may be
delivered thru paypal, Western Union, or wire transfer. 

In exchange for payment, the individual agrees to give up any copyrights
or other intellectual property rights to the exploit and vulnerability
information they sold to iDefense. 

iDefense then turns around and notifies its clients of the
vulnerability, and at times, coordinates the bugfix with the vendor. 

- --- Example 1: Sabre Remote Denial of Service Vulnerability ---

Initially, Phrack Labs was amazed to discover that altomo received $325
for this vulnerability and working exploit. Previously, it was believed
that Global Hell (gH) members were incapable of making more then $100 a
pop, unless it involved swallowing 25 baggies of cocaine."

On August 29th, 2002, Idefense offered Altomo, a US Citizen, a payment
of $325 for the vulnerability and working exploit against the Sabre
reservation system. Additional information indicates that Altomo had
previously used this exploit in Denial of Service attacks against the
target, and was making one final buck on the vulnerability. 

Payment was made thru Altomo's paypal account, adame780@bellsouth.net.

- --- Example 2: Sambar Remote File Retrieval Vulnerability ---

For over 9000 rubel (about $300), Vladimir Dubrovin (3APA3A) was able to
buy alot of vodka and cigarettes after selling a remote exploit for the
Sambar Remote file retrieval vulnerability to Dave Endler. Payment was
made via Western Union to ALFA BANK, Nizhny Novgorod.

In the Opinion of Phrack Labs, Vladdy could have made out like a bandit,
like his Polish counterparts. However, Greed does not equal brilliance.
This becomes more evident when one takes into account the shoddy
security of Vladdy's systems.

- --- Example 3: Alan McCaig (b0f) --- -

Initially, a Phrack Labs associate contacted b0f during our research of
the iDefense vulnerability. Unfortunately, b0f denied any involvement
with iDefense or Dave Endler.

==============BEGIN LOG======================
 [b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] ?
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] who told u anything about 300$ ?
[msg(b0f)] just tell me why you did it.
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] i didn't get no money for nuthin
[msg(b0f)] funny cause david endler of idefense seems to think differently.
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] lol
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] where he say this 
[msg(b0f)] just tell me yoh why you did it.
[msg(b0f)] why did dtors sell their stuff.
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] dtors has sold like one thing
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] that i know of anyways
[msg(b0f)] well man, some bulgarians forwarded me some dox, got your name and 300$ and iDefense all on the same line.
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] i have never got 300$ from idefense
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] look at the advisorys none are from me
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] david endler from idefense doesn't put anywhere how much people where paid
[b0f(b0f@pc-80-194-151-13-ud.blueyonder.co.uk)] not that i have ever seen
==============END  LOG=========================

Well, we are here to fully disclose, that indeed b0f did sell dtors
warez to iDefense. b0f did receive 300 dollars in his paypal account
(b0fnet@yahoo.com) on March 4th, 2003. 

This was not the last time Alan violated the trust put in him by his
friends to make a quick buck. We, at Phrack Labs, doubt this will be the
last.

- --- Example 4: PHP-Nuke v5.6 Sql Injection Vulnerability --- -

This exploit by iDefense was not anonymous for the individual who sold
the information, Daviz Zentner of Kennewick, Washington (aka kill9).

This vulnerability was published jointly by iDefense and kill9.
Previously kill9 was involved in hacking the database registration
servers of a Korean security company in excess of the permitted access
granted to himself and others as part of a $100k hacking contest. It is
rumored that he used a php vulnerability to compromise their corporate
network, and download protected database information.

For his troubles in selling this vulnerability to iDefense, kill9
received $500, wired directly to his Bank of America account.

- --- Example 5: Java JVM Exploit --- -

Our last example (and best) of the iDefense exploit being used involved
the esteemed group, Last Stage of Delirium (LSD). LSD is composed of
four Polish researchers (Michal Chmielwski, Sergiusz Fonrobert, Adam
Gowdiak, and Thomasz Ostwald). 

Previous statements by the LSD group have indicated that they would
never sell out their ideals, and try to make a buck from their hacking.
We at Phrack Labs take issue with this outright lie, and offer for your
information the fact that LSD sold out not for a single buck, but for a
payment of $3500. 

In exchange for this payment, LSD provided iDefense with working
exploits for the JVM vulnerability, a pre-release copy of their "Java
and Java Virtual Machine security vulnerabilities and their exploitation
techniques" paper. To this date, the JVM exploit has not been made
public. One has to wonder who and for what purpose iDefense would want
that exploit for? Are they reselling the 'good' exploits to Canadian
terrorists who then use them to shut down our power grids?


III. ANALYSIS

The anonymity and potential money offered by iDefense to whitehats in
exchange for vulnerability information is very tempting. This exploits
one of the more sensitive of vulnerabilities existing in the community,
and what sets whitehats apart from true blackhats -- Greed. Phrack Labs
has been studying this vulnerability for the past year.


IV. SOLUTION

The solution developed by Phrack Labs to date for the iDefense
vulnerability is truth. By eliminating the veil of anonimity that
individuals who do business with iDefense hide behind (clients, advisory
board members, and vulnerability contributors) we hope to redress the
grievous situation that has developed and the active exploitation of
Greed in the computer (in)security community.

PHC hopes that following this advisory, the addressed issues will be solved.
If, however, both parties in question (contributors and Delaware company)
continue to act unscrupulously, more severe advisories may be released in
the future to stamp out any possible threats.


V. DISCLOSURE TIMELINE

01 SEP 2003      Phrack High Council Receives Anonymous Tip on Idefense Contributors
02 SEP 2003      Phrack High Council Contemplates Contacting Vendor.
02 SEP 2003      Phrack High Council says Fuck it.
11 SEP 2003      Issues disclosed to PHC Clients.
19 SEP 2003      Coordinated Public Disclosure


VI. CREDIT

Dave Endler, without whose inept handling of contributor information
none of this would be possible.


Get paid for security research and have your d0x dropped.
http://www.idefense.com/contributor.html


About Phrack High Council

PHC is a global security intelligence organization that proactively
monitors whitehats throughout the world - from honeynet projects and
false-prophet IDS vendors to untrustworthy blackhat wannabes. Our
intelligence services provide members of the underground with timely
access to actionable intelligence and decision support on
security-related threats.  For more information, visit
http://phrack.efnet.ru .


|=[ EOF ]=---------------------------------------------------------------=|