<<< Date Index >>>     <<< Thread Index >>>

Re: Mico crashes when contected with wrong IOR / DoS




Hi Christoph,

I'm not angry at all and I hope you are neither. Thank you for taking time and provide us with nice way how to duplicate the issue. Also to give us time to fix it before full disclosure which has not been used due to communication/organization issues. Anyway, points taken, we (MICO community) should provide single email address for all vulnerability reports. I've added JacORB notes in my original reply since I've thought you were also testing the issue with JacORB, perhaps I've read this in some of your files.

Thanks,
Karel

On Mon, 10 Jul 2006, tuergeist wrote:

Hi,

I would just give my 2ct

I would just like to add some corrections to disclosure below.


> == 1. Affected Vendor ==
>   Object Security

This information is incorrect. ObjectSecurity is not the vendor of the
MICO ORB. MICO is a free software project licensed under LGPL/GPL
licenses. ObjectSecurity is its long time user and contributor besides
lots of other companies and supporters.
Ok. Commercially supported by the CORBA specialists: Object Security.
However, look @ point 2 "Open Source ORB". I think it was clear.

> == 3. Vulnerability ==
>   MICO crashes when contacted with wrong object key (part: orb-id or
>   orb-creation time)

Side note: object ID is opaque value, so we do not distinguish any part of
it as orb-id or orb-creation time. Perhaps you get this knowledge from
other ORB, but this is strickly ORB dependent.
Yes. I know, object ID is opaque value. But I took a look into the
sources - I was only to give extra information.

> == 4. Safety Hazard ==
>   critical, potential Denial-of-Service
>
> == 5. Disclosure Timeline ==
>   2006-06-27 Problem found and analysed / tested with other versions
>   2006-06-29 Vulnerability reported to vendor and MICOs
>                devel-mailing-list

Unfortunately your email has not come to mico-devel@xxxxxxxx mailing list
yet. Also if you would like to contact directly ObjectSecurity with some
security issue, please consider using security@xxxxxxxxxxxxxxxxxx email
address next time.

At 29.06.2006 12:43 CEST I wrote you AND mico-devel, but my "message
to Mico-devel awaits moderator approval" - This is definitely NOT my
problem.

> == 7. Patch / Workaround ==
>   No Patch avaible yet.

Patch is already available and the main MICO download page contains a link
to it: http://mico.org/down.html
Was not at time of full-disclosure. I updated this, when update was avaible.

>       $ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
>     orb.string_to_object             ... ok
>     object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
>     vmcid: SUN  minor code: 208 completed: Maybe

Side note: if you test fixed MICO together with your ping utility
running on top of JacORB, you will get COMM_FAILURE exception
too. That's because of a bug in JacORB [...]
As you can see, I am not using JacORB, I am not related to JacORB or
sth. else. In this example I used the SUN JDK ORB. Read, think,
answer. I wrote "It's also possible to use JacORBs pingo.." "also" in
this case doesn't mean "exactly"

The point wasn't what my client said - the point was, that mico crashed!!!

regarding JacORB: report it to the JacORB community, not to me.

Regards,
Christoph

p.s. The other way is not to contact you or full disclosure but
selling the information. So, don't look back in anger.


--
Karel Gardas                  kgardas@xxxxxxxxxxxxxxxxxx
ObjectSecurity Ltd.           http://www.objectsecurity.com