Dailydave mailing list archives
RE: Re[2]: ASN.1 Vulnerability Could Allow CodeExecution(828028); Microsoft Security Bulletin MS04-007
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Wed, 11 Feb 2004 17:27:50 -0800
I have to agree that we're not done with ASN.1 vulns. Y'all will recall the announcement last year about the generic ASN.1 parser vulnerabilities (found in the SNMP tests IIRC) from Oulu University last year, I would submit that this is a continuation of that. If you look around, you'll find that a stunning number of places use the same base ASN.1 parsing code (developed by US gov. maybe? I forget) and I think we're going to see a lot of these show up in a surprising number of random places (consider how widely ASN.1 is used). I think this is the equivalent of people borrowing sample code that is vulnerable from MS or any other vendor and finding out later that they are subject to exploit as a result. toby
-----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Brett Moore Sent: Wednesday, February 11, 2004 1:00 PM To: dailydave () lists immunitysec com Subject: RE: Re[2]: [Dailydave] ASN.1 Vulnerability Could Allow CodeExecution(828028); Microsoft Security Bulletin MS04-007Ahwell. I personally have this weird idea that we're by far not done with MSASN1.DLL.etc I'd agree with that, and everything you said... Take the RPC flaws for example... Once one had come out attention is sunddenly turned to that area, and more are found... If someone was to take a systematic approach to bug finding, instead of random hit and miss. They would turn up a hell of a lot of bugs.. "Methodical Approach To Finding Buffer Overflows" * Review past bugs * design a 'spreadsheet' * mark in known bugs * test where the gaps are. example: previous = prev bug, silent fix = discovered but fixed silently by sp Large Param Chunked Post content-type len .ida Previous silent fix .asp Previous Previous shtml.dll silent fix silent fix fp30reg.dll found etc.. Past history shows the majority of buffer overflows exist due to 1) long filename/pathname/paramater Check everything that accepts a filename/pathname/param Including HTTP methods/headers and API's 2) corrupt packet/file (essentially the same thing) Check all interfaces where packets are recieved, files read for info. Including RPC/DDE/SMB Of course reverse enginerring all the dlls/functions and reviewing the code while been extremely time cosuming, could turn up gold... Perhaps its just a matter of knowing 'where to look'.... . -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com]On Behalf Of Halvar Flake Sent: Thursday, February 12, 2004 8:24 AM To: Nicob Cc: dailydave () lists immunitysec com Subject: Re[2]: [Dailydave] ASN.1 Vulnerability Could Allow Code Execution(828028); Microsoft Security Bulletin MS04-007 Hey all, N> And that's probably the same thing for the US-CERT and the N> "Vulnerabilities Cartel" created by ISS, Foundstone, @stake, ... N> So, from this page [1], we can deduce that there's numerous guys (at N> least one hundred ?) knowing about 2 HIGH severity vulns in MS products N> for half a year. I personally think that anyone who looked seriously at MSASN1.DLL could've had these vulns, and after the H323 bugs I would assume many people took an interest and looked at it (which they didn't do before). But then again, is there anyone surprised at all ? I think with a piece of soft as complex as Windows, we can safely assume that at any given point in time some group of people will have a remote for it (if you don't want to accept this notion, take iexplore into the picture and the prospect of client-side exploitation). Ahwell. I personally have this weird idea that we're by far not done with MSASN1.DLL. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: Re[2]: ASN.1 Vulnerability Could Allow CodeExecution(828028); Microsoft Security Bulletin MS04-007 Kohlenberg, Toby (Feb 11)