Full Disclosure mailing list archives

Re: newest category of security bugs considered elite ?

From: Dan Kaminsky <dan () doxpara com>
Date: Sat, 1 May 2010 21:02:50 -0400





On May 1, 2010, at 8:30 PM, Nick FitzGerald <nick () virus-l demon co uk>  
wrote:

Dan Kaminsky wrote:

I really like the hash length declaration bugs, where the client can
tell the server how many bytes of a hash need to be validated.  (Yep,
you just say "one byte is plenty")

SNMPv3 and XML-DSIG both fell to this, catastrophically.


I thought Georgi asked for the newest class of elite vulns?

Does (at least) ten years old count as new?

Ooh, SMB's old Hollywood OS bug -- one character at a time attacks.  
Indeed, this is very old.  It's actually an annoying pattern, that  
things we think are attack multipliers ('you have to simultaneously  
attack MD5 and SHA1') turn out to just be adders (you can attack one  
at a time).

This bug class is different, and as far as I know unseen from the 80's  
and 90's. In this one, you tell the remote system, 'sure, I can match  
your stored hash -- but it's only one byte long.'. So you try an  
average of 128 passwords, and off you go.

It's basically a problem where the client is trusted to provide  
excessive metadata about server state. If you've got other examples in  
this family, it'd be cool to hear them.

(The TLS reneg bug was super cool but client/server confusion of  
identical protocol messages has precedent, I'm sure.)

  http://www.microsoft.com/technet/security/bulletin/ms00-072.mspx

And against Win9x count as elite?   8-)

FWIW, MS00-072 was fairly widely exploited in the wild by at least the
Opaserv (aka Opasoft) family of worms, though not until a couple (?)  
of
years after the bulletin's release.



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

newest category of security bugs considered elite ? Georgi Guninski (May 01)
- Re: newest category of security bugs considered elite ? Dan Kaminsky (May 01)
  - Re: newest category of security bugs considered elite ? Nick FitzGerald (May 01)
    - Re: newest category of security bugs considered elite ? Don Bailey (May 01)
    - Re: newest category of security bugs considered elite ? Dan Kaminsky (May 01)
    - Re: newest category of security bugs considered elite ? Nick FitzGerald (May 01)
- Re: newest category of security bugs considered elite ? Thor (Hammer of God) (May 01)
- Re: newest category of security bugs considered elite ? coderman (May 01)
- Re: newest category of security bugs considered elite ? Marsh Ray (May 04)
  - Re: newest category of security bugs considered elite ? Valdis . Kletnieks (May 04)