RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption

From: Rainer Gerhards (rgerhards_at_hq.adiscon.com)
Date: 02/10/04

  • Next message: Nick FitzGerald: "RE: Outbreak warning: possibly Mydoom.C (Now Deadhat/Vesser)" 
    Date: Tue, 10 Feb 2004 22:36:07 +0100
To: "Tina Bird" <tbird@precision-guesswork.com>, "Marc Maiffret" <mmaiffret@eeye.com>

    I think Microsoft is using wording to keep the typical end user in a
    warm and cozy state. Technically, except for AD services, each client
    has a full server implementation and as such should be vulnerable. I
    assume that many of those DSL-connected, non-firewalled home machines
    are easy targets.

    And that the server is more likely to be attacked is just an assumption
    - in the days of class A vuln sweeps and random worm scans, I don't
    think that servers are at most risk. In fact, I think the unprotected
    home machines are...

    Rainer

    > -----Original Message-----
    > From: Tina Bird [mailto:tbird@precision-guesswork.com]
    > Sent: Tuesday, February 10, 2004 9:41 PM
    > To: Marc Maiffret
    > Cc: Joe Blatz; BUGTRAQ@securityfocus.com
    > Subject: RE: EEYE: Microsoft ASN.1 Library Length Overflow
    > Heap Corruption
    >
    >
    > On Tue, 10 Feb 2004, Marc Maiffret wrote:
    >
    > > This attack can be performed through various encryption
    > systems such as
    > > Kerberos and almost anything using CERTs... I am not sure about
    > > Microsofts wording in their advisory.
    >
    > Microsoft also states that servers are likelier to be
    > attacked using this
    > vulnerability than clients are, because they're likelier to
    > be decoding
    > ASN.1 data. But if the vulnerable code can be accessed via LSASS.exe,
    > doesn't that mean all systems are at risk?
    >
    > thanks for any info -- tbird
    >
    > --
    > It doesn't have to be our fault to be our responsibility.
    >
    > -- Paul Robertson
    >
    > http://www.precision-guesswork.com
    > Log Analysis http://www.loganalysis.org
    > VPN http://vpn.shmoo.com
    > tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
    >

  • Next message: Nick FitzGerald: "RE: Outbreak warning: possibly Mydoom.C (Now Deadhat/Vesser)"

    Relevant Pages

    • Re: id- 1030 source - Userenv
      ... check your settings on the server and client computers. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • RE: (Very) Slow browsing server shares - Net Work Monitor shows ca
      ... If this issue happen only when browse shared folders on SBS from one XP ... client computer, this will be a client side error. ... click to check the "Hide All Microsoft Services" ... Digitally sign communications (if server ...
      (microsoft.public.windows.server.sbs)
    • Re: My Documents redirect stopped working on one user profile.
      ... Yes but this file server of ours isnt the DC that "sends" out the group ... the problem may be caused by the client computer. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • RE: No Client or Server Desktop Access Through RWW SBS 2003 SP2
      ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... No Client or Server Desktop Access Through RWW SBS 2003 SP2 ...
      (microsoft.public.windows.server.sbs)
    • Re: Regular disconnections from remote web workplace
      ... I can connect to office server and all office clients from home at all times ... be physically working right up until the connection is lost. ... If I enter http://companyip from a client I receive the login screen for the ... Click Services tab and select Hide All Microsoft Services and Disable ...
      (microsoft.public.windows.server.sbs)