Full Disclosure mailing list archives
Re: newest category of security bugs considered elite ?
From: Dan Kaminsky <dan () doxpara com>
Date: Sat, 1 May 2010 21:02:50 -0400
On May 1, 2010, at 8:30 PM, Nick FitzGerald <nick () virus-l demon co uk> wrote:
Dan Kaminsky wrote:I really like the hash length declaration bugs, where the client can tell the server how many bytes of a hash need to be validated. (Yep, you just say "one byte is plenty") SNMPv3 and XML-DSIG both fell to this, catastrophically.I thought Georgi asked for the newest class of elite vulns? Does (at least) ten years old count as new?
Ooh, SMB's old Hollywood OS bug -- one character at a time attacks. Indeed, this is very old. It's actually an annoying pattern, that things we think are attack multipliers ('you have to simultaneously attack MD5 and SHA1') turn out to just be adders (you can attack one at a time). This bug class is different, and as far as I know unseen from the 80's and 90's. In this one, you tell the remote system, 'sure, I can match your stored hash -- but it's only one byte long.'. So you try an average of 128 passwords, and off you go. It's basically a problem where the client is trusted to provide excessive metadata about server state. If you've got other examples in this family, it'd be cool to hear them. (The TLS reneg bug was super cool but client/server confusion of identical protocol messages has precedent, I'm sure.)
http://www.microsoft.com/technet/security/bulletin/ms00-072.mspx And against Win9x count as elite? 8-) FWIW, MS00-072 was fairly widely exploited in the wild by at least the Opaserv (aka Opasoft) family of worms, though not until a couple (?) of years after the bulletin's release. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- newest category of security bugs considered elite ? Georgi Guninski (May 01)
- Re: newest category of security bugs considered elite ? Dan Kaminsky (May 01)
- Re: newest category of security bugs considered elite ? Nick FitzGerald (May 01)
- Re: newest category of security bugs considered elite ? Don Bailey (May 01)
- Re: newest category of security bugs considered elite ? Dan Kaminsky (May 01)
- Re: newest category of security bugs considered elite ? Nick FitzGerald (May 01)
- Re: newest category of security bugs considered elite ? Nick FitzGerald (May 01)
- Re: newest category of security bugs considered elite ? Dan Kaminsky (May 01)
- Re: newest category of security bugs considered elite ? Thor (Hammer of God) (May 01)
- Re: newest category of security bugs considered elite ? coderman (May 01)
- Re: newest category of security bugs considered elite ? Marsh Ray (May 04)
- Re: newest category of security bugs considered elite ? Valdis . Kletnieks (May 04)