RE: Re[2]: ASN.1 Vulnerability Could Allow CodeExecution(828028); Microsoft Security Bulletin MS04-007

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

I have to agree that we're not done with ASN.1 vulns.

Y'all will recall the announcement last year about the generic
ASN.1 parser vulnerabilities (found in the SNMP tests IIRC) from Oulu 
University last year, I would submit that this is a continuation of
that.
If you look around, you'll find that a stunning number of places use
the same base ASN.1 parsing code (developed by US gov. maybe? I forget)
and I think we're going to see a lot of these show up in a surprising
number of random places (consider how widely ASN.1 is used). 
I think this is the equivalent of people borrowing sample code that is
vulnerable from MS or any other vendor and finding out later that they
are subject to exploit as a result.

toby

> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com 
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
> Brett Moore
> Sent: Wednesday, February 11, 2004 1:00 PM
> To: dailydave () lists immunitysec com
> Subject: RE: Re[2]: [Dailydave] ASN.1 Vulnerability Could 
> Allow CodeExecution(828028); Microsoft Security Bulletin MS04-007
>
> > Ahwell. I personally have this weird idea that we're by far not done
> > with MSASN1.DLL.
> etc
>
> I'd agree with that, and everything you said... Take the RPC flaws for
> example... Once one had come out attention is sunddenly turned to that
> area, and more are found...
>
> If someone was to take a systematic approach to bug finding, instead
> of random hit and miss. They would turn up a hell of a lot of bugs..
>
> "Methodical Approach To Finding Buffer Overflows"
> * Review past bugs
> * design a 'spreadsheet'
> * mark in known bugs
> * test where the gaps are.
>
> example: previous = prev bug, silent fix = discovered but 
> fixed silently by
> sp
>           Large Param      Chunked Post     content-type len
> .ida         Previous                          silent fix
> .asp         Previous        Previous
> shtml.dll    silent fix      silent fix
> fp30reg.dll                   found
> etc..
>
> Past history shows the majority of buffer overflows exist due to
> 1) long filename/pathname/paramater
>   Check everything that accepts a filename/pathname/param
>   Including HTTP methods/headers and API's
> 2) corrupt packet/file (essentially the same thing)
>  Check all interfaces where packets are recieved, files read for info.
>  Including RPC/DDE/SMB
>
> Of course reverse enginerring all the dlls/functions and 
> reviewing the code
> while been extremely time cosuming, could turn up gold... 
> Perhaps its just
> a matter of knowing 'where to look'....
>
> .
>
>
>
> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com
> [mailto:dailydave-bounces () lists immunitysec com]On Behalf Of Halvar
> Flake
> Sent: Thursday, February 12, 2004 8:24 AM
> To: Nicob
> Cc: dailydave () lists immunitysec com
> Subject: Re[2]: [Dailydave] ASN.1 Vulnerability Could Allow Code
> Execution(828028); Microsoft Security Bulletin MS04-007
>
>
> Hey all,
>
> N> And that's probably the same thing for the US-CERT and the
> N> "Vulnerabilities Cartel" created by ISS, Foundstone, @stake, ...
> N> So, from this page [1], we can deduce that there's numerous guys (at
> N> least one hundred ?) knowing about 2 HIGH severity vulns in 
> MS products
> N> for half a year.
>
> I personally think that anyone who looked seriously at MSASN1.DLL
> could've had these vulns, and after the H323 bugs I would assume many
> people took an interest and looked at it (which they didn't do
> before).
>
> But then again, is there anyone surprised at all ? I think with a
> piece of soft as complex as Windows, we can safely assume that at any
> given point in time some group of people will have a remote for it (if
> you don't want to accept this notion, take iexplore into the picture
> and the prospect of client-side exploitation).
>
> Ahwell. I personally have this weird idea that we're by far not done
> with MSASN1.DLL.
>
> Cheers,
> Halvar
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave