Re: Mico crashes when contected with wrong IOR / DoS

[Karel Gardas <kgardas () objectsecurity com>]

Hello,

I would just like to add some corrections to disclosure below.

On Thu, 6 Jul 2006, tuergeist wrote:

> == == == TOC == == ==
>
> 1. Affected Vendor
> 2. Affected Product
> 3. Vulnerability
> 4. Safety Hazard
> 5. Disclosure Timeline
> 6. Vendor Response
> 7. Patch / Workaround
> 8. Vulnerability Details
>
> ---------------------
>
> == 1. Affected Vendor ==
>   Object Security

This information is incorrect. ObjectSecurity is not the vendor of the 
MICO ORB. MICO is a free software project licensed under LGPL/GPL 
licenses. ObjectSecurity is its long time user and contributor besides 
lots of other companies and supporters.

> == 2. Affected Products ==
>   MICO - Mico is CORBA, Open Source ORB
>   tested on Version
>       2.3.12RC3
>       2.3.12
>       and latest from repository
>   more infos: http://www.mico.org
>
> == 3. Vulnerability ==
>   MICO crashes when contacted with wrong object key (part: orb-id or
>   orb-creation time)

Side note: object ID is opaque value, so we do not distinguish any part of
it as orb-id or orb-creation time. Perhaps you get this knowledge from
other ORB, but this is strickly ORB dependent.

> == 4. Safety Hazard ==
>   critical, potential Denial-of-Service
>
> == 5. Disclosure Timeline ==
>   2006-06-27 Problem found and analysed / tested with other versions
>   2006-06-29 Vulnerability reported to vendor and MICOs
>                devel-mailing-list

Unfortunately your email has not come to mico-devel () mico org mailing list
yet. Also if you would like to contact directly ObjectSecurity with some
security issue, please consider using security () objectsecurity com email
address next time.

>   2006-07-05 2nd mail to vendor and mailing-list
>   2006-07-06 Full disclosure
>
> == 6. Vendor Response ==
>   None.
>
> == 7. Patch / Workaround ==
>   No Patch avaible yet.

Patch is already available and the main MICO download page contains a link 
to it: http://mico.org/down.html

>   possible Workarounds
>   a) Don't use MICO in or over public networks
>   b) Protect MICO with an (IIOP) firewall
>
> == 8. Vulnerability Details ==
>   The following is for educational purposes only!
>
>   Start the orb, you'll crash # Example code
>   -> http://wwwstud.informatik.uni-rostock.de/~cb098/mico_bug.tgz
>       $ ./server
>   scan your target...
>       $ sudo nmap -sS -oM results.nmap -p 1-65535 192.168.1.10 /
>           | grep unknown
>       8010/tcp  open  unknown
>       49576/tcp open  unknown
>       51140/tcp open  unknown
>
>   One of these port could be the orb. Lets try to ping
>   (object._non_exists()) the last one. For this I'm using a special
>   handmade CORBA-Ping-Prog. It's also possible to use JacORBs pingo..
>   My JPing is avaible at
>       http://wwwstud.informatik.uni-rostock.de/~cb098/JPing.java
>       $ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
>     orb.string_to_object             ... ok
>     object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
>     vmcid: SUN  minor code: 208 completed: Maybe

Side note: if you test fixed MICO together with your ping utility
running on top of JacORB, you will get COMM_FAILURE exception
too. That's because of a bug in JacORB which tries to use GIOP 1.2
although your corbaloc is defined in the way it should use GIOP
1.0. Also since MICO uses GIOP 1.0 by default it closes connection
immediately after receiving JacORB's GIOP 1.2 message. Anyway this
test runs well with patched MICO and either MICO server using GIOP 1.2
and JacORB or MICO server using default GIOP 1.0 and JDK ORB.

Cheers,
Karel
------------------------------------------------------------------------
Karel Gardas, Principal Software Engineer, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS, UK
Tel. +44 1223 420252, Fax. +44 870 762 6041
USA: Tel.+1-800-898-9148, Fax +1-360-933-9591
kgardas () objectsecurity com, www.objectsecurity.com
------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/