Results 1 to 8 of 8

Thread: New Vuln....the Big one! (ASN.1).

  1. #1
    Senior Member
    Join Date
    Nov 2001

    New Vuln....the Big one! (ASN.1).

    Says Eeye:

    This is something that will let you get into Internet servers, internal networks, pretty much any system.

    This vulnerability affects basically any client of MSASN1.DLL, the most interesting of which are LSASS.EXE and CRYPT32.DLL (and therefore any application that uses CRYPT32.DLL).

    eEye(R) Digital Security, a leading developer of enterprise security software solutions, today announced its research team uncovered two critical vulnerabilities relating to Microsoft's Windows(R) Abstract Syntax Notation One (ASN.1). ASN is the method through which the syntax of messages to be exchanged between peer applications is defined, independent of local representation. These critical security flaws affect unpatched Windows NT, 2000, XP and Windows Server 2003 machines. eEye's research team discovered these vulnerabilities as early as July 2003 and worked with Microsoft to develop a remediation solution.
    Either of these ASN vulnerabilities could allow an attacker to overwrite heap memory with arbitrary data allowing for the execution of malicious code. Both of these flaws can be detected and subsequently exploited remotely and have the potential to cause serious damage if not immediately remediated. Ironically, the security-related functionality in Windows is especially adept at rendering a machine vulnerable to an attack. Since the ASN library is widely used by Windows security subsystems, the vulnerability is exposed through an array of authentication protocols. This makes these vulnerabilities more dangerous than previous flaws that spawned Nimda, Code Red and Sapphire worms. eEye and Microsoft have released detailed advisories to alert Windows users of the need to immediately remediate vulnerable machines on their networks.

    Looks like MS knew about this for 6 MONTHS and sat on it until they got a patch made for it.

    Vendor Status:
    Microsoft has released a patch for these vulnerabilities. The patch is available at:
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Senior Member
    Join Date
    Jan 2003
    very nice,

    I think i might install the vunerable OS on my server and us the exploit to see how it works

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    The real scary thing is that LDAP adheres to the ASN.1 standard. We patched all AD controllers immediately.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    For those of use who would like to know about the nitty gritty details: Check Eeye's website. You can find the advisories here and here.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Why do I imagine a virus coming from this vulnerability shortly? I've read the briefs but don't really understand how this thing spreads.

    Quoting here <>

    "Since the ASN library is widely used by Windows security subsystems, the vulnerability is exposed through an array of authentication protocols. This makes these vulnerabilities more dangerous than previous flaws that spawned Nimda, Code Red and Sapphire worms."

    So this thing isn't going to be limited to ports being open / closed. And it seems that a firewall will not be very useful so long as the user can get something through it correct? What else can be done in addition to patching these machines? Or am I waving the paranoid flag too early?

  6. #6
    AO French Antique News Whore
    Join Date
    Aug 2001

    Microsoft warns of widespread Windows flaw

    Microsoft has a message for Windows users: Patch your computers quickly.
    On Tuesday, the software giant released a fix for a networking flaw that affects every computer running Windows NT, Windows 2000, Windows XP or Windows Server 2003. If left unpatched, the security hole could allow a worm to spread quickly throughout the Internet, causing an incident similar to the MSBlast attack last summer.

    "There are more attack vectors and more people that could be affected by this," said Marc Maiffret, chief hacking officer for eEye Digital Security, the software firm that warned Microsoft of the vulnerability more than six months ago.

    This is the second time this month that Microsoft has warned users of a security flaw. The company has a new policy of announcing vulnerabilities and releasing patches on the second Tuesday of each month, unless a critical flaw needs to be released immediately.

    Last week, the software maker revealed a security flaw in Internet Explorer and issued a patch. On Tuesday, Microsoft announced three more vulnerabilities: the critical flaw and two other issues of lesser severity. One security hole affects computers running the Windows Internet Naming Service, and the other affects Microsoft's Virtual PC for the Mac platform.

    The latest flaw exists in Microsoft's implementation of a basic networking protocol known as Abstract Syntax Notation One, or ASN.1. The code is shared by many Windows applications, and if left unpatched, it causes each program that uses the code to be an entry point into the operating system for an attacker.

    Such widespread vulnerabilities are most tempting for the underground coders who create worms such as MSBlast--also known as Blaster--and Slammer, both of which took advantage of widespread Windows flaws.

    The vulnerability could allow a remote user to take control of a computer running a version of the Windows operating system that hasn't been patched, according to the advisory posted on Microsoft's Web site. Exploiting the flaw is much easier if the attacker can access a local network, the advisory noted.

    "This means a high number of vulnerable systems out on the Internet," said Brian Dunphy, director of managed security services for security software company Symantec. "It's a good candidate for an Internet worm."

    The flaw bears a resemblance to the one that allowed MSBlast to spread in August 2003, said Stephen Toulouse, security program manager at Microsoft's security response center.

    "It is relatively similar in terms of the number of computers it could affect," he said, adding that the flaw "is in all versions of Windows."

    Created by Xerox and standardized in 1984, ASN.1 is a way to describe networking data and protocols, said Bancroft Scott, president of OSS Nokalva, an ASN.1 tools developer.

    "Twenty years ago, people frequently reinvented the wheel when they wanted to pass data," he said in a January interview on the subject of ASN.1. "There was no way to describe the data that you were going to send."

    ASN.1 changed that, allowing developers to describe data in an abstract language. However, developers of tools for creating network protocols and software from those descriptions frequently didn't consider that Internet attackers would use the channel as a way to break into computers, Scott said.

    "These technologies, such as Windows, don't have anything to do with ASN.1, and yet they are breaking," he said.

    The widespread use of ASN.1 has led many security researchers to label it a possible "monoculture"--a population so homogeneous that a single threat could destroy it. A recent trend in the computer security world is the recognition that vulnerabilities in common technologies can have widespread effects. A flaw in the Simple Network Management Protocol, a widely used way to communicate between network hardware, was due to an ASN.1 implementation error.

    eEye's Maiffret was critical of Microsoft for taking so long to issue the patch.

    "Two hundred days to fix this," Maiffret said. "It is obviously ridiculous."

    Microsoft's Toulouse said the fix took so long to create because of the difficulties posed by such a pervasive technology.

    "ASN.1 is really an extremely in Windows itself," he said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."
    -Simon \"SDK\"

  7. #7
    AO Part Timer
    Join Date
    Feb 2003
    Patch, Patch, Patch.

    A forever ongoing process. I am glad to see they have a patch. Thanks for the heads up. Update complete, gotta go and reboot.
    so much for uptime.

    Your heart was talking, not your mind.
    -Tiger Shark

  8. #8
    Junior Member
    Join Date
    Feb 2004
    Originally posted here by thadbme
    Why do I imagine a virus coming from this vulnerability shortly? I've read the briefs but don't really understand how this thing spreads.
    There's nothing to spread at the moment. Exploit code exists at eEye (where they infiltrated a completely locked-down test network), but there's nothing known in the wild. How long this lasts is a subject of debate; some people think that there is reason to believe that we'll see something this weekend, and others believe that the skill to exploit the vulnerability is rare enough that a major outbreak won't happen anytime soon. However, since this is not the first ASN.1 vulnerability around (*nix has been hit by it a few times in the last couple of years, though with lesser risks), I'm tending to suspect that some gray and black hats have become more familiar with the ins and outs of the ASN standards.

    As for how it happens, if I read it correctly, the vulnerability can be exploited in a single packet. A target system is sent a specially crafted packet that requests initialization of a session to negotiate a security token. The payload of this is crafted such that a 0-byte memory block is assigned to handle the associated data, but the full payload is actually passed on and can be used to delivery executable payload into kernel-space memory. Once this payload is delivered, it can be set to do anything -- including authorizing a session that allows root access, meaning that the attacker then has complete control over the system to install, delete, and/or use files in any way desired.
    You can never go home again... but I guess you can shop there.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts