Exploit for the critical flaw Windows ASN.1 Released !!!

[Tedob1]

http://www.eeye.com/html/Research/Ad...D20040210.html

Description:
eEye Digital Security has discovered a critical vulnerability in Microsoft's ASN.1 library (MSASN1.DLL) that would allow an attacker to overwrite heap memory on a susceptible machine and cause the execution of arbitrary code. Because this library is widely used by Windows security subsystems, the vulnerability is exposed through an array of avenues, including Kerberos, NTLMv2 authentication, and applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.).

Technical Description:
The MSASN1 library is fraught with integer overflows. In this advisory, we'll describe a pair of arithmetic errors in a generic and low-level part of ASN.1 BER decoding that allow a very large swath of heap memory to be overwritten. This vulnerability affects basically any client of MSASN1.DLL, the most interesting of which are LSASS.EXE and CRYPT32.DLL (and therefore any application that uses CRYPT32.DLL).
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

this one only crashes lsass.exe

BTW it compiles as is w/gcc

[foxyloxley]

I spent what was left of last night, trying to get a grip on this sort ot threat. Needless to say it went pear shaped when I fell asleep ??
The input from Tim_axe and Tedob 1 is the stuff of nightmares for me. Two attacks in the last 4 months, both times required a clean install !!!
So, for now: F/W at high security, and netbios blocked In and Out ?
So, finally AO has a member, who if not actually MORE paranoid than nihil, is fast getting there !!

[dynamoo]

You know, every time this kind of threat comes up people start to get all excited about firewalls, and although they offer some degree of protection there are some important considerations.

1) Your firewall won't protect you from the ******* who brings in a worm-infected laptop from home.
2) It's not rocket science to ZIP the worm up and send it by email. MyDoom again showed that businesses were vulnerable to infected ZIP files, especially ones that spread very quickly. The infected ZIP file doesn't even need to be self-propagating, if you've got access to a spam list you could just email the darned thing out.. enough dumb users will double-click anything to ensure you get the worm dropper through.

The best solution to this kind of threat is "defense in depth". Make an assumption that a worm will penetrate a large network and base your strategy on containing in when it's inside.

So, my recommended steps are:
[list=1][*]Patch everything you can[*]Ensure you have anti-virus signatures set for auto-distribution[*]Switch off unpatched PCs when not in use[*]Education users that equipment must not be used outside the firewall, and non-patched kits (e.g. visitor's laptops) must not be attached inside the firewalled environment. Use a big stick against anyone who violates this, like firing them.[/list=1]

[Gurou]

it seems that getting a shell is very hard, so at the moment only a DoS epxloit is in the wild ...

[maxxis]

thx for the files

[Tedob1]

i dont know if you all read the other threads on this topic but it seems that eeye has a few other reports in to MS that they have yet to respond to. lets hope that someone dosnt find them before ms fixes them or at least announces a work around.

[Summer]

I'm still a bit confused about this exploit...

Are there any workarounds besides installing the patch (manual tweaks, etc)? I'm always a bit hesitant when it comes to installing a MS patch. From my experience, there's usually a 50/50 chance it will either fix the problem or make matters worse. :|

MS claims there are no workarounds, but I wonder if that's really true.