Doubleclick - round 3: the official response
| Doubleclick Round 5 Devenez un technicien chez Doubleclick Become a tech guy at Doubleclick |
| Doubleclick Round 4 Lisez mes mails, oups..., sur mes lèvres: "nous réparons" Read my mails, oops..., my lips: "we are fixing this mess" |
Doubleclick Round 3 |
| Doubleclick Round 2 Bases de données non protégées Unprotected databases... |
| Doubleclick Round 1 Hacké depuis 2 ans? Hacked for 2 years? |
| Récapitulatif
des papiers sur le monde étrange des administrateurs réseau et systèmes |
| Récapitulatif
de nos copies d'écran sur ce même monde étrange |
| It's a funky job. But Kitetoa's digital clone does it... |
| Do you know info-hack Kung-Fu? |
| La hotte du Kitetopapanoël |
| Ze Mega
Kite-Teuf! La fête de l'été de Kitetoa... Les sites les plus nazes de l'été 2000 |
| La
Loi de 78 impose aux entreprises de protéger les bases de données qu'elles constituent... |
"We are currently in the middle of completing our due diligence pertaining to this situation. We expect this to be completed next week; at which time we will begin to make the necessary changes in order to ensure that the site is secure"
Beware, this is not an official and public response. Nope, just an ordinary answer to those who continually ask DoubleClick : "hey bud, is it true that your servers are full of good old bugs ?"
So, they'll take one week to read what follows, and verify wether their servers are vulnerable to these good old tricks :
http://www.securityfocus.com/advisories/2195
http://www.eeye.com/html/Research/Advisories/AD19990608-3.html
http://www.wiretrip.net/rfp/p/doc.asp?id=57&iface=2
By the way, DoubleClick tells journalists who ask for some kind of precisions that nothing's vulnerable... As usual, DoubleClick's clients have nothing to fear.
Of course.
If you want to exploit the bugs on the servers, you'll be a cracker and will go to jail (or something similar). We are no crackers. So we won't.
For those who are interested in cracking an who want to go to court and be condemned, here's the modus operandi which will prove that DoubleClick's servers are vulnerable, that one can put sniffers in it, and take back sensitive informations about their clients.
Scan all of the 199.95.206.1 IP address (from one to 254), look for IIS web servers (and NT servers which seem to be very tasteful). Test the unicode bug. Search the "Unitools" package in Bugtraq, which have been submitted by Roelof W Temmingh in a post on Thursday the 25 of january 2001. Launch the scripts... That's it... You've probably hacked DoubleClick. Upload the t00lz you want. In a few days, you'll have all the logins and passwords you'll ever want to posess, but never dare to ask for. In a few months, you'll be condemned for cybercriminality... But, at least, you'll prove that DoubleClick, if one closely read their oficial response, take every body for dummies.
:)