Re: [Full-Disclosure] ASN.1 telephony critical infrastructure warning - VOIP

From: daniel uriah clemens (daniel_clemens_at_autism.birmingham-infragard.org)
Date: 02/17/04

  • Next message: dotsecure_at_hushmail.com: "[Full-Disclosure] Beagle.b@mm spreading at a steady pace." 
    To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Date: Tue, 17 Feb 2004 11:34:47 +0000 (GMT)

    Here are some more details on various things that use ASN.1

    http://asn1.elibel.tm.fr/en/uses/rfc.htm

    -Dan
    On Tue, 17 Feb 2004, 3APA3A wrote:

    > Dear Gadi Evron,
    >
    > ASN.1 is used by many services, but all use different underlying
    > protocols. It's not likely NetMeeting or MS ISA server to be primary
    > attack targets. Attack against MS IPSec implementation, Exchange,
    > SMB/CIFS, RPC services, IIS and specially IE will no have impact to VoIP
    > infrastructure (except connectivity degradation because of massive
    > traffic). And these applications are more likely to be attack target.
    >
    > --Tuesday, February 17, 2004, 6:37:53 PM, you wrote to bugtraq@securityfocus.com:
    >
    > GE> I apologize, but I am using these mailing lists to try and contact the
    > GE> different */CERT teams for different countries.
    >
    > GE> As we all know, ASN.1 is a new very easy to exploit vulnerability. It
    > GE> attacks both the server and the end user (IIS and IE).
    >
    > GE> We expect a new massive worm to come out exploiting this vulnerability
    > GE> in the next few days.
    >
    > GE> Why should this all interest you beyond it being the next blaster?
    >
    > GE> ASN is what VOIP is based on, and thus the critical infrastructure for
    > GE> telephony which is based on VOIP.
    >
    > GE> This may be a false alarm, but you know how worms find their way into
    > GE> every network, private or public. It could (maybe) potentially bring the
    > GE> system down.
    >
    > GE> I am raising the red flag, better safe than sorry.
    >
    > GE> The two email messages below are from Zak Dechovich and myself on this
    > GE> subject, to TH-Research (The Trojan Horses Research Mailing List). The
    > GE> original red flag as you can see below, was raised by Zak. Skip to his
    > GE> message if you like.
    >
    > GE> Gadi Evron.
    >
    >
    >
    > GE> Subject: [TH-research] */CERT people: Critical Infrastructure and ASN.1
    > GE> - VOIP [WAS: Re:
    > GE> [TH-research] OT: naming the fast approaching ASN.1 worm]
    >
    > GE> Mail from Gadi Evron <ge@linuxbox.org>
    >
    > GE> All the */CERT people on the list:
    > GE> If you haven't read the post below, please do.
    >
    > GE> Anyone checked into the critical infrastructure survivability of an ASN
    > GE> worm hitting? phone systems could possibly go down. We all know how
    > GE> worms find their way into any network, private or otherwise. and VOIP
    > GE> systems (which phone systems are based on nowadays) could go down.
    >
    > GE> Heads-up! Finds them contingency plans.. :o)
    >
    > GE> Any information would be appreciated, or if you need more information
    > GE> from us: +972-50-428610.
    >
    > GE> Gadi Evron.
    >
    >
    > GE> Zak Dechovich wrote:
    >
    > >> Mail from Zak Dechovich <ZakGroups@SECUREOL.COM>
    > >>
    > >> May I suggest the following:
    > >>
    > >> ASN1 is mainly used for the telephony infrastructure (VoIP),
    > >> any code that attacks this infrastructure can be assigned with 'VoIP'
    > >> prefix, followed by the attacked vendor (cisco, telrad, microsoft, etc.).
    > >>
    > >> for example, if (when) Microsoft's h323 stack will be attacked, the name
    > >> should be VoIP.ms323.<variant>, or if Cisco's gatekeepers will crash,
    > GE> lets
    > >> call it VoIP.csgk.<variant>
    > >>
    > >> Your thoughts ?
    > >>
    > >> Zak Dechovich,
    > >>
    > >> Zak Dechovich,
    > >> Managing Director
    > >> SecureOL Ltd.
    > >> Mobile: +972 (53) 828 656
    > >> Office: +972 (2) 675 1291
    > >> Fax: +972 (2) 675 1195
    >
    > GE> -
    > GE> TH-Research, the Trojan Horses Research mailing list.
    > GE> List home page: http://ecompute.org/th-list
    >
    > GE> _______________________________________________
    > GE> Full-Disclosure - We believe in it.
    > GE> Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    > --
    > ~/ZARAZA
    > Ñýð Èñààê Íüþòîí îòêðûë, ÷òî ÿáëîêè ïàäàþò íà çåìëþ. (Òâåí)
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    -Daniel Uriah Clemens

    Esse quam videra
                    (to be, rather than to appear)
                         -Moments of Sorrow are Moments of Sobriety
                          { o)2059686335 c)2055676850 }

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: dotsecure_at_hushmail.com: "[Full-Disclosure] Beagle.b@mm spreading at a steady pace."

    Relevant Pages