Full Disclosure mailing list archives
RE: ASN.1 telephony critical infrastructure warning - VOIP
From: David Wilson <David.Wilson () isode com>
Date: Mon, 23 Feb 2004 20:52:54 +0000
On Tue, 2004-02-17 at 16:31, Zak Dechovich wrote:
I would like to answer you all together, as I was the one who started this thread, ASN1 is a simple data encapsulation, the problem occurs when the decapsulation procedure fails because of any reason. in the case at hand, the data slips into the code segment.
ASN.1 = Abstract Syntax Notation number One. As part of the definitions, there are also defined encoding rules, for the interchange of values defined using ASN.1. The most common rules are BER (Basic Encoding Rules). It should be emphasised that ASN.1 and BER are NOT vulnerable, at least any more than IP packet encodings, or TCP packet encodings are vulnerable. What are potentially vulnerable are _implementations_ of encoders/decoders which take convert between the on-the-wire encoding (e.g. BER) and some internal alternative concrete representation of the abstract values. The recent well-publicised vulnerability in Microsoft's BER decoding library is an example of such a problem with an _implementation_. There is actually little excuse for this kind of thing. The University of Oulu produced their first test suites some time ago, and I see they have quite a range now: <URL:http://www.ee.oulu.fi/research/ouspg/protos/>. which seems to include telephony protocols. Then there have been test suites based on these for S/MIME, X.400 P22/P772 and (certificates in) SSL. There is actually little excuse for any software producer who has code which uses ASN.1 for having an implementation which does not pass these kinds of test. Even if there is not a test suite available from someone else, such as Oulu, then the basic principles of the test are very simple, and tests can be generated fairly mechanically. You are right in saying there _may_ be vulnerabilities via any protocol which uses ASN.1, but only if the _implementation_ is at fault. In the case of such implementations running on Microsoft Windows, that may depend on the implementation they are using (Microsoft or some other). cheers -- David Wilson <David.Wilson () isode com> Isode Limited _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ASN.1 telephony critical infrastructure warning - VOIP Gadi Evron (Feb 17)
- Re: ASN.1 telephony critical infrastructure warning - VOIP Michal Zalewski (Feb 17)
- RE: ASN.1 telephony critical infrastructure warning - VOIP Zak Dechovich (Feb 17)
- Re: ASN.1 telephony critical infrastructure warning - VOIP Michael Samuel (Feb 18)
- Re: ASN.1 telephony critical infrastructure warning - VOIP jan . muenther (Feb 18)
- Re: ASN.1 telephony critical infrastructure warning - VOIP Valdis . Kletnieks (Feb 18)
- Re: ASN.1 telephony critical infrastructure warning - VOIP jan . muenther (Feb 18)
- RE: ASN.1 telephony critical infrastructure warning - VOIP Zak Dechovich (Feb 17)
- Re: ASN.1 telephony critical infrastructure warning - VOIP Michal Zalewski (Feb 17)
- RE: ASN.1 telephony critical infrastructure warning - VOIP David Wilson (Feb 23)
- Re: ASN.1 telephony critical infrastructure warning - VOIP daniel uriah clemens (Feb 17)
- Re: ASN.1 telephony critical infrastructure warning - VOIP Florian Weimer (Feb 17)
- Re[2]: ASN.1 telephony critical infrastructure warning - VOIP 3APA3A (Feb 18)
- <Possible follow-ups>
- RE: ASN.1 telephony critical infrastructure warning - VOIP John LaCour (Feb 17)
- Re: ASN.1 telephony critical infrastructure warning - VOIP Joseph M Hoffman (Feb 19)