[Dshield] Microsoft ASN.1

Dragos Ruiu dr at dursec.com
Wed Feb 11 21:32:10 GMT 2004


On February 11, 2004 12:28 pm, Lauro, John wrote:
> Was based on discussion from several sources, including bugtraq.
>
> No idea what the probe is going to look like.  It will depend on if
> it's multi-vectored or not....

ASN.1 BER is used in _many_ places, up to and including ISDN messages :)
Certs, etc...

David Meltzer had this fine snort signature for it:

alert tcp any any -> any any (msg:"Possible ASN.1 Exploit Attempt")


Now if someone wanted extra points. They would write a sw
scanner that would look through binaries for calls to the 
affected bits of built-in malware so signatures could start
to be built. Cause the exploit guys are sure to have 
such a scanner already :).

cheers,
--dr

-- 
Top security experts.  Cutting edge tools, techniques and information.
Vancouver, Canada	April 21-23 2004  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp




More information about the list mailing list