|
Flipzī Exploit
10/28/99
Mike Hudack
Editor-in-Chief
Whenever I talk to someone about the recent spate of government Web defacements one of the first things they ask me is if I know what exploit is being used. The answer is invariably the same -- no. Everyone from eEye to the FBI has asked the same question, and the answer is always the same.
The speculation runs from a repackaged eEye exploit to an FTP vulnerability to a custom-made script written by Flipz himself. The answer doesnīt seem to be presenting itself any time soon.
Anonymous Sources
On the night of Friday, October 29th an anonymous source forwarded an exploit fitting the correct description to us. He said he received it from soneone who knows flipz.
Another anonymous source intimately involved with Flipz and the development of the exploit gave me a call only a few minutes ago. He says the following:
"flipz came up with the idea to the exploit, but he doesn't know how to code himself. He then went to someone, probably a member of the ADM Crew, who wrote the actual exploit.
It's actually kind of recoded RDS, but [flipz and the rest] not going to release the actual vulnerability."
This source explained that F0bic was somehow involved in the development of the exploit, but refused to elaborate on that.
Flipzī Version
Flipz categorically refuses to tell me anything about his exploit, explaining that he "can't tell [me] what I'm using." He would, however, say that it "isnīt a hard-core exploit." Apparently it isnīt that complicated -- he says "if someone sat down and looked at this exploit for a few hours theyīd call themselves stupid for not thinking of it. Itīs very simple."
He says the idea came from an article in Buffer Overflow, the Hacker News Networksī original article section. "It was presented as theory in Buffer Overflow. I just made it reality," he claims.
Itīs interesting, however, that he has contradicted himself in his zeal to keep his exploit secret. At one point he said "itīs a repackaged exploit," while later he claimed it was from Buffer Overflow. It seems that it would have to be one or the other.
The Federals
The FBI apparently has no idea what Flipz is using to deface these sites. I was asked by two special agents, one in Washington DC and one in New Haven, CT about what exploit he was using. Both made it relatively clear they had no idea.
They seemed to know what they were talking about though, and asked me about a few specific possibilities. I simply told them to check the site if they wanted information. This is all I have to offer.
The IRC Opinion
In speaking with several security consultants on IRC, itīs pretty clear that most people consider Flipz (and hence his friends) script kiddies. "Itīs almost certainly iishack," said one consultant on IRC.
The speculation almost refuses to touch the possibility that Flipz wrote the exploit himself. "If anything, itīs repackaged," one person acknowledged.
Pretty much everyone refused to be quoted even by pseudonym, saying they werenīt one hundred percent certain. As we all know, in the security community thereīs something of a culture against uncertainty.
Changing Hands
Regardless of what the exploit may be, it has changed hands at least three times. First Flipz had it -- whether he developed it, repackaged it, or downloaded it. He then passed it on to F0bic (who, as far as OSAll can tell, never used it). From there it went to Fuqrag, with Flipzī permission.
Related Articles on OSAll:
Flipz Interviewed
Fuqrag Interviewed
Talking to the FBI
eEye Exploit
NSA-like Site Defaced |
