[Dshield] Microsoft ASN.1

Corinne Cook corinnec at abdi.com
Thu Feb 12 19:14:50 GMT 2004

Thank you, John!  This is exactly what I was looking for.  I thought the
same but didn't have the examples to put to it as I didn't have much
previous knowledge of ASN.1.  I knew it was in how MS implemented it
somehow.  The VPN vector is scary as MS' VPN solution is popular in that it
is essentially free.



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of John Hardin
Sent: Thursday, February 12, 2004 10:28 AM
To: General DShield Discussion List
Subject: RE: [Dshield] Microsoft ASN.1

On Thu, 2004-02-12 at 08:38, Corinne Cook wrote:
> First, how easy is this to exploit on a client versus a server?

It depends on which services are exposed by the computer, not its "logical

> If only servers are patched and clients are behind firewalls how 
> likely and how severe could a network full of unpatched clients be?

A disaster waiting to happen. What if one of the worm's attack vectors is an
auto-executing email message? What if there's an access path you don't know
about or didn't consider (VPNs spring to mind - some of your clients may NOT
be behind firewalls). What if it's easy to attack a browser that accesses a
hostile HTTPS site? 

French-Bread security[1], while better than none, is risky.

> I know Microsoft said to patch all machines, but I know people who 
> think this is a server side issue almost entirely and are not going to 
> patch clients (even remote laptop users).

Keep stressing to them that is not adequate. It's so simple to just go to
Windows Update and apply all the critical updates, why not just DO that?

> Would a home user with no firewall (stand alone, not networked) be 
> easily infected without some action on their part (like the Blaster 
> infection?)?

Probably trivially easy given the pervasiveness of ASN.1.

> I am new to understanding attacks such as these and I'm trying to 
> learn some programming and theories so I can better understand 
> application level vulnerabilities and attacks, so I am wondering if 
> there are others here who understand these better and can explain 
> these a little better.  I know ASN.1 is more of a mother language for 
> networking and not really a language like C/+/#, etc., but I would 
> assume some of the same rules hold generally true?

ASN.1 is a way to encode data in a platform-independent way. The bug is in
the way MS decodes an ASN.1 data object. An attacker would need to develop
the payload (probably an i386 worm + spam relay), encode it in ASN.1 crafted
to take advantage of the bug, and find things that use ASN.1 that can be
attacked. The payload part is straight programming. What's different about
this is the delivery mechanism. (Think of all the different methods used to
deliver a basic worm/relay/backdoor package we've seen in the last six

Some possible attack vectors off the top of my head and that others have
	HTTPS server certificates (attack IE)
	HTTPS client certificates (attack IIS (and apache?))
	Windows Kerberos auth (attack Windows auth)
		Any service that uses Kerberos for authentication
			Telnet server
			MS domain activity
	PPTP server auth? (attack VPN servers)
	IPsec auth using certificates (attack VPN servers)
	Basic Windows file/printer sharing? (newer systems?)
	... what else?

[1] hard on the outside, soft on the inside.

John Hardin  KA7OHZ                           
Internal Systems Administrator/Guru               voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
  Failure to plan ahead on someone else's part does not constitute an
  emergency on my part.
                                  - David W. Barts in a.s.r

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list