[Dshield] Microsoft ASN.1

John Hardin johnh at aproposretail.com
Thu Feb 12 18:28:16 GMT 2004


On Thu, 2004-02-12 at 08:38, Corinne Cook wrote:
> First, how easy is this to exploit on a client versus a server?

It depends on which services are exposed by the computer, not its
"logical role".

> If only servers are patched and clients are behind firewalls how
> likely and how severe could a network full of unpatched clients be?

A disaster waiting to happen. What if one of the worm's attack vectors
is an auto-executing email message? What if there's an access path you
don't know about or didn't consider (VPNs spring to mind - some of your
clients may NOT be behind firewalls). What if it's easy to attack a
browser that accesses a hostile HTTPS site? 

French-Bread security[1], while better than none, is risky.

> I know Microsoft said to patch all machines, but I know people who
> think this is a server side issue almost entirely and are not going to
> patch clients (even remote laptop users).

Keep stressing to them that is not adequate. It's so simple to just go
to Windows Update and apply all the critical updates, why not just DO
that?

> Would a home user with no firewall (stand alone, not networked) be easily
> infected without some action on their part (like the Blaster infection?)?

Probably trivially easy given the pervasiveness of ASN.1.

> I am new to understanding attacks such as these and I'm trying to learn some
> programming and theories so I can better understand application level
> vulnerabilities and attacks, so I am wondering if there are others here who
> understand these better and can explain these a little better.  I know ASN.1
> is more of a mother language for networking and not really a language like
> C/+/#, etc., but I would assume some of the same rules hold generally true?

ASN.1 is a way to encode data in a platform-independent way. The bug is
in the way MS decodes an ASN.1 data object. An attacker would need to
develop the payload (probably an i386 worm + spam relay), encode it in
ASN.1 crafted to take advantage of the bug, and find things that use
ASN.1 that can be attacked. The payload part is straight programming.
What's different about this is the delivery mechanism. (Think of all the
different methods used to deliver a basic worm/relay/backdoor package
we've seen in the last six months.)

Some possible attack vectors off the top of my head and that others have
mentioned:
	HTTPS server certificates (attack IE)
	HTTPS client certificates (attack IIS (and apache?))
	Windows Kerberos auth (attack Windows auth)
		Any service that uses Kerberos for authentication
			Telnet server
			MS domain activity
			...?
	PPTP server auth? (attack VPN servers)
	IPsec auth using certificates (attack VPN servers)
	Basic Windows file/printer sharing? (newer systems?)
	... what else?


[1] hard on the outside, soft on the inside.

--
John Hardin  KA7OHZ                           
Internal Systems Administrator/Guru               voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  Failure to plan ahead on someone else's part does not constitute an
  emergency on my part.
                                  - David W. Barts in a.s.r




More information about the list mailing list