[Dshield] Microsoft ASN.1
dr at dursec.com
Wed Feb 11 21:32:10 GMT 2004
On February 11, 2004 12:28 pm, Lauro, John wrote:
> Was based on discussion from several sources, including bugtraq.
> No idea what the probe is going to look like. It will depend on if
> it's multi-vectored or not....
ASN.1 BER is used in _many_ places, up to and including ISDN messages :)
David Meltzer had this fine snort signature for it:
alert tcp any any -> any any (msg:"Possible ASN.1 Exploit Attempt")
Now if someone wanted extra points. They would write a sw
scanner that would look through binaries for calls to the
affected bits of built-in malware so signatures could start
to be built. Cause the exploit guys are sure to have
such a scanner already :).
Top security experts. Cutting edge tools, techniques and information.
Vancouver, Canada April 21-23 2004 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
More information about the list