Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption

To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject: Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
From: Timothy J.Miller <cerebus@xxxxxxxxxxxxx>
Date: Wed, 11 Feb 2004 08:19:31 -0600
In-reply-to: <s029f30d.027@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <s029f30d.027@xxxxxxxxxxxxxxx>

On Feb 10, 2004, at 4:16 PM, Tim Eddy wrote:

Marc,

If we remove the default exemptions for Kerberos & RSVP from IPSEC with
the "NoDefaultExempt" registry key, this still passes IKE. Therefore is
IKE vulnerable to the ASN bug?

Very likely, as IKE data is marshaled into ASN.1 format. The fun partabout ASN.1 is it's so damn useful you tend to use it *everywhere*.

Is anyone else wondering why MS didn't fix this with the last round ofASN.1 decoding overflow vulnerabilities (remember the SNMP hole)? It'sbasically the same problem.


-- Cerebus

Follow-Ups:
- Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
  - From: Florian Weimer

References:
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
  - From: Tim Eddy

Prev by Date: Re: [Full-Disclosure] DreamFTP Server 1.02 Buffer Overflow
Next by Date: Update - CheckPoint Vulnerabilities
Previous by thread: RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
Next by thread: Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
Index(es):
- Date
- Thread