[Dshield] Microsoft ASN.1

Chuck Lewis clewis at iquest.net
Thu Feb 12 17:59:54 GMT 2004


Corinne,

In regards to ASN.1 from the EXCELLENT webcast from SANS yesterday (and the
website has it archived ! :-)

Abstract Syntax Notation 1 defines how messages are exchanged between
applications irregardless of OS...

If I wrote that down correctly. And I believe it was Mark that said that...

And thanks for the webcast (AND the reminder email ! !) Johannes !

Chuck

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Cook
On Thursday, February 12, 2004 11:39 AM Corinne wrote:
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Microsoft ASN.1

Does anyone have any thoughts on the following related to possible ASN.1
attacks with this vulnerability:

First, how easy is this to exploit on a client versus a server?  If only
servers are patched and clients are behind firewalls how likely and how
severe could a network full of unpatched clients be?  I know Microsoft said
to patch all machines, but I know people who think this is a server side
issue almost entirely and are not going to patch clients (even remote laptop
users).

Would a home user with no firewall (stand alone, not networked) be easily
infected without some action on their part (like the Blaster infection?)?

I am new to understanding attacks such as these and I'm trying to learn some
programming and theories so I can better understand application level
vulnerabilities and attacks, so I am wondering if there are others here who
understand these better and can explain these a little better.  I know ASN.1
is more of a mother language for networking and not really a language like
C/+/#, etc., but I would assume some of the same rules hold generally true?

Thanks,

Corinne Cook

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Brian Dessent
Sent: Wednesday, February 11, 2004 4:56 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Microsoft ASN.1


Dragos Ruiu wrote:

> David Meltzer had this fine snort signature for it:
> 
> alert tcp any any -> any any (msg:"Possible ASN.1 Exploit Attempt")

Better hope that you have plenty of free space on the mount that
contains your log files, if you use this one...

Brian

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list