|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Re[2]: [Dailydave] ASN.1 Vulnerability Could Allow Code Execution(828028); Microsoft Security Bulletin MS04-007
From: Brett Moore (brett
softwarecreations.co.nz)
Date: Wed Feb 11 2004 - 14:59:59 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Ahwell. I personally have this weird idea that we're by far not done
> with MSASN1.DLL.
etc
I'd agree with that, and everything you said... Take the RPC flaws for
example... Once one had come out attention is sunddenly turned to that
area, and more are found...
If someone was to take a systematic approach to bug finding, instead
of random hit and miss. They would turn up a hell of a lot of bugs..
"Methodical Approach To Finding Buffer Overflows"
* Review past bugs
* design a 'spreadsheet'
* mark in known bugs
* test where the gaps are.
example: previous = prev bug, silent fix = discovered but fixed silently by
sp
Large Param Chunked Post content-type len
.ida Previous silent fix
.asp Previous Previous
shtml.dll silent fix silent fix
fp30reg.dll found
etc..
Past history shows the majority of buffer overflows exist due to
1) long filename/pathname/paramater
Check everything that accepts a filename/pathname/param
Including HTTP methods/headers and API's
2) corrupt packet/file (essentially the same thing)
Check all interfaces where packets are recieved, files read for info.
Including RPC/DDE/SMB
Of course reverse enginerring all the dlls/functions and reviewing the code
while been extremely time cosuming, could turn up gold... Perhaps its just
a matter of knowing 'where to look'....
.
-----Original Message-----
From: dailydave-bounceslists.immunitysec.com
[mailto:dailydave-bounceslists.immunitysec.com]On Behalf Of Halvar
Flake
Sent: Thursday, February 12, 2004 8:24 AM
To: Nicob
Cc: dailydavelists.immunitysec.com
Subject: Re[2]: [Dailydave] ASN.1 Vulnerability Could Allow Code
Execution(828028); Microsoft Security Bulletin MS04-007
Hey all,
N> And that's probably the same thing for the US-CERT and the
N> "Vulnerabilities Cartel" created by ISS, Foundstone, stake, ...
N> So, from this page [1], we can deduce that there's numerous guys (at
N> least one hundred ?) knowing about 2 HIGH severity vulns in MS products
N> for half a year.
I personally think that anyone who looked seriously at MSASN1.DLL
could've had these vulns, and after the H323 bugs I would assume many
people took an interest and looked at it (which they didn't do
before).
But then again, is there anyone surprised at all ? I think with a
piece of soft as complex as Windows, we can safely assume that at any
given point in time some group of people will have a remote for it (if
you don't want to accept this notion, take iexplore into the picture
and the prospect of client-side exploitation).
Ahwell. I personally have this weird idea that we're by far not done
with MSASN1.DLL.
Cheers,
Halvar
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://www.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]