Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re[2]: ASN.1 Vulnerability Could Allow Code Execution(828028); Microsoft Security Bulletin MS04-007

From: "Brett Moore" <brett () softwarecreations co nz>
Date: Thu, 12 Feb 2004 09:59:59 +1300
Ahwell. I personally have this weird idea that we're by far not done
with MSASN1.DLL.

etc

I'd agree with that, and everything you said... Take the RPC flaws for
example... Once one had come out attention is sunddenly turned to that
area, and more are found...

If someone was to take a systematic approach to bug finding, instead
of random hit and miss. They would turn up a hell of a lot of bugs..

"Methodical Approach To Finding Buffer Overflows"
* Review past bugs
* design a 'spreadsheet'
* mark in known bugs
* test where the gaps are.

example: previous = prev bug, silent fix = discovered but fixed silently by
sp
           Large Param      Chunked Post     content-type len
.ida         Previous                          silent fix
.asp         Previous        Previous
shtml.dll    silent fix      silent fix
fp30reg.dll                   found
etc..

Past history shows the majority of buffer overflows exist due to
1) long filename/pathname/paramater
   Check everything that accepts a filename/pathname/param
   Including HTTP methods/headers and API's
2) corrupt packet/file (essentially the same thing)
  Check all interfaces where packets are recieved, files read for info.
  Including RPC/DDE/SMB

Of course reverse enginerring all the dlls/functions and reviewing the code
while been extremely time cosuming, could turn up gold... Perhaps its just
a matter of knowing 'where to look'....

.



-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com]On Behalf Of Halvar
Flake
Sent: Thursday, February 12, 2004 8:24 AM
To: Nicob
Cc: dailydave () lists immunitysec com
Subject: Re[2]: [Dailydave] ASN.1 Vulnerability Could Allow Code
Execution(828028); Microsoft Security Bulletin MS04-007


Hey all,

N> And that's probably the same thing for the US-CERT and the
N> "Vulnerabilities Cartel" created by ISS, Foundstone, @stake, ...
N> So, from this page [1], we can deduce that there's numerous guys (at
N> least one hundred ?) knowing about 2 HIGH severity vulns in MS products
N> for half a year.

I personally think that anyone who looked seriously at MSASN1.DLL
could've had these vulns, and after the H323 bugs I would assume many
people took an interest and looked at it (which they didn't do
before).

But then again, is there anyone surprised at all ? I think with a
piece of soft as complex as Windows, we can safely assume that at any
given point in time some group of people will have a remote for it (if
you don't want to accept this notion, take iexplore into the picture
and the prospect of client-side exploitation).

Ahwell. I personally have this weird idea that we're by far not done
with MSASN1.DLL.

Cheers,
Halvar

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: