Dailydave mailing list archives
RE: Re[2]: ASN.1 Vulnerability Could Allow Code Execution(828028); Microsoft Security Bulletin MS04-007
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Thu, 12 Feb 2004 09:59:59 +1300
Ahwell. I personally have this weird idea that we're by far not done with MSASN1.DLL.
etc I'd agree with that, and everything you said... Take the RPC flaws for example... Once one had come out attention is sunddenly turned to that area, and more are found... If someone was to take a systematic approach to bug finding, instead of random hit and miss. They would turn up a hell of a lot of bugs.. "Methodical Approach To Finding Buffer Overflows" * Review past bugs * design a 'spreadsheet' * mark in known bugs * test where the gaps are. example: previous = prev bug, silent fix = discovered but fixed silently by sp Large Param Chunked Post content-type len .ida Previous silent fix .asp Previous Previous shtml.dll silent fix silent fix fp30reg.dll found etc.. Past history shows the majority of buffer overflows exist due to 1) long filename/pathname/paramater Check everything that accepts a filename/pathname/param Including HTTP methods/headers and API's 2) corrupt packet/file (essentially the same thing) Check all interfaces where packets are recieved, files read for info. Including RPC/DDE/SMB Of course reverse enginerring all the dlls/functions and reviewing the code while been extremely time cosuming, could turn up gold... Perhaps its just a matter of knowing 'where to look'.... . -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com]On Behalf Of Halvar Flake Sent: Thursday, February 12, 2004 8:24 AM To: Nicob Cc: dailydave () lists immunitysec com Subject: Re[2]: [Dailydave] ASN.1 Vulnerability Could Allow Code Execution(828028); Microsoft Security Bulletin MS04-007 Hey all, N> And that's probably the same thing for the US-CERT and the N> "Vulnerabilities Cartel" created by ISS, Foundstone, @stake, ... N> So, from this page [1], we can deduce that there's numerous guys (at N> least one hundred ?) knowing about 2 HIGH severity vulns in MS products N> for half a year. I personally think that anyone who looked seriously at MSASN1.DLL could've had these vulns, and after the H323 bugs I would assume many people took an interest and looked at it (which they didn't do before). But then again, is there anyone surprised at all ? I think with a piece of soft as complex as Windows, we can safely assume that at any given point in time some group of people will have a remote for it (if you don't want to accept this notion, take iexplore into the picture and the prospect of client-side exploitation). Ahwell. I personally have this weird idea that we're by far not done with MSASN1.DLL. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- ASN.1 Vulnerability Could Allow Code Execution (828028); Microsoft Security Bulletin MS04-007 Bradley, Terry (CONTR) (Feb 11)
- Re: ASN.1 Vulnerability Could Allow Code Execution (828028); Microsoft Security Bulletin MS04-007 Dave Aitel (Feb 11)
- Re: ASN.1 Vulnerability Could Allow Code Execution (828028); Microsoft Security Bulletin MS04-007 Nicob (Feb 11)
- Re[2]: ASN.1 Vulnerability Could Allow Code Execution (828028); Microsoft Security Bulletin MS04-007 Halvar Flake (Feb 11)
- RE: Re[2]: ASN.1 Vulnerability Could Allow Code Execution(828028); Microsoft Security Bulletin MS04-007 Brett Moore (Feb 11)
- Re[4]: ASN.1 Vulnerability Could Allow Code Execution(828028); Microsoft Security Bulletin MS04-007 Halvar Flake (Feb 12)
- RE: Re[4]: ASN.1 Vulnerability Could Allow CodeExecution(828028); Microsoft Security Bulletin MS04-007 john blumenthal (Feb 15)
- Re: ASN.1 Vulnerability Could Allow Code Execution (828028); Microsoft Security Bulletin MS04-007 Nicob (Feb 11)
- Re: Re[2]: ASN.1 Vulnerability Could Allow Code Execution(828028); Microsoft Security Bulletin MS04-007 Matt Hargett (Feb 11)
- Re: ASN.1 Vulnerability Could Allow Code Execution (828028); Microsoft Security Bulletin MS04-007 Dave Aitel (Feb 11)