[Full-disclosure] Re: Mico crashes when contected with wrong IOR / DoS




Hello,

I would just like to add some corrections to disclosure below.

On Thu, 6 Jul 2006, tuergeist wrote:

== == == TOC == == ==

1. Affected Vendor
2. Affected Product
3. Vulnerability
4. Safety Hazard
5. Disclosure Timeline
6. Vendor Response
7. Patch / Workaround
8. Vulnerability Details

---------------------

== 1. Affected Vendor ==
Object Security

This information is incorrect. ObjectSecurity is not the vendor of the MICO ORB. MICO is a free software project licensed under LGPL/GPL licenses. ObjectSecurity is its long time user and contributor besides lots of other companies and supporters.

== 2. Affected Products ==
MICO - Mico is CORBA, Open Source ORB
tested on Version
2.3.12RC3
2.3.12
and latest from repository
more infos: http://www.mico.org

== 3. Vulnerability ==
MICO crashes when contacted with wrong object key (part: orb-id or
orb-creation time)

Side note: object ID is opaque value, so we do not distinguish any part of
it as orb-id or orb-creation time. Perhaps you get this knowledge from
other ORB, but this is strickly ORB dependent.

== 4. Safety Hazard ==
critical, potential Denial-of-Service

== 5. Disclosure Timeline ==
2006-06-27 Problem found and analysed / tested with other versions
2006-06-29 Vulnerability reported to vendor and MICOs
devel-mailing-list

Unfortunately your email has not come to mico-devel@xxxxxxxx mailing list
yet. Also if you would like to contact directly ObjectSecurity with some
security issue, please consider using security@xxxxxxxxxxxxxxxxxx email
address next time.

2006-07-05 2nd mail to vendor and mailing-list
2006-07-06 Full disclosure

== 6. Vendor Response ==
None.

== 7. Patch / Workaround ==
No Patch avaible yet.

Patch is already available and the main MICO download page contains a link to it: http://mico.org/down.html

possible Workarounds
a) Don't use MICO in or over public networks
b) Protect MICO with an (IIOP) firewall

== 8. Vulnerability Details ==
The following is for educational purposes only!

Start the orb, you'll crash # Example code
-> http://wwwstud.informatik.uni-rostock.de/~cb098/mico_bug.tgz
$ ./server
scan your target...
$ sudo nmap -sS -oM results.nmap -p 1-65535 192.168.1.10 /
| grep unknown
8010/tcp open unknown
49576/tcp open unknown
51140/tcp open unknown

One of these port could be the orb. Lets try to ping
(object._non_exists()) the last one. For this I'm using a special
handmade CORBA-Ping-Prog. It's also possible to use JacORBs pingo..
My JPing is avaible at
http://wwwstud.informatik.uni-rostock.de/~cb098/JPing.java
$ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
orb.string_to_object ... ok
object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
vmcid: SUN minor code: 208 completed: Maybe

Side note: if you test fixed MICO together with your ping utility
running on top of JacORB, you will get COMM_FAILURE exception
too. That's because of a bug in JacORB which tries to use GIOP 1.2
although your corbaloc is defined in the way it should use GIOP
1.0. Also since MICO uses GIOP 1.0 by default it closes connection
immediately after receiving JacORB's GIOP 1.2 message. Anyway this
test runs well with patched MICO and either MICO server using GIOP 1.2
and JacORB or MICO server using default GIOP 1.0 and JDK ORB.

Cheers,
Karel
------------------------------------------------------------------------
Karel Gardas, Principal Software Engineer, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS, UK
Tel. +44 1223 420252, Fax. +44 870 762 6041
USA: Tel.+1-800-898-9148, Fax +1-360-933-9591
kgardas@xxxxxxxxxxxxxxxxxx, www.objectsecurity.com
------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Mico crashes when contected with wrong IOR / DoS
    ... Affected Vendor ... ObjectSecurity is not the vendor of the MICO ORB. ... MICO is a free software project licensed under LGPL/GPL licenses. ... although your corbaloc is defined in the way it should use GIOP ...
    (Bugtraq)
  • Re: Mico crashes when contected with wrong IOR / DoS
    ... MICO is a free software project licensed under LGPL/GPL ... look @ point 2 "Open Source ORB". ... it as orb-id or orb-creation time. ... That's because of a bug in JacORB ...
    (Bugtraq)
  • [Full-disclosure] Re: Mico crashes when contected with wrong IOR / DoS
    ... MICO is a free software project licensed under LGPL/GPL ... look @ point 2 "Open Source ORB". ... it as orb-id or orb-creation time. ... That's because of a bug in JacORB ...
    (Full-Disclosure)
  • [Full-disclosure] Re: Mico crashes when contected with wrong IOR / DoS
    ... Anyway, points taken, we (MICO community) should provide single email address for all vulnerability reports. ... I've added JacORB notes in my original reply since I've thought you were also testing the issue with JacORB, perhaps I've read this in some of your files. ... look @ point 2 "Open Source ORB". ...
    (Full-Disclosure)
  • Re: Mico crashes when contected with wrong IOR / DoS
    ... Anyway, points taken, we (MICO community) should provide single email address for all vulnerability reports. ... I've added JacORB notes in my original reply since I've thought you were also testing the issue with JacORB, perhaps I've read this in some of your files. ... look @ point 2 "Open Source ORB". ...
    (Bugtraq)