Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Windows Source Code; How to Detect ASN.1 Exploits InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Windows Source Code; How to Detect ASN.1 Exploits

Published: 2004-02-13
Last Updated: 2004-02-14 03:51:18 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Windows Source Code. As most of the infosec community knows, the big buzz over the past 24 hours was the reported leakage of Windows 2000 and Windows NT 4.0 source code. We are only mentioning it in the diary since we have received numerous requests yesterday and today for copies of the code or pointers to where it is located. The SANS Internet Storm Center does not condone unauthorized duplication of copyrighted software, and respects Microsoft's desire to protect their intellectual property.



How to Detect ASN.1 Exploits. MS04-007 contains details on a significant flaw in the .dll file that handles the parsing of Abstract Syntax Notation One (ASN.1) Basic Encoding Rules (BER). Similar ASN.1 BER implementation flaws in SNMP were the subject of a University of Oulu, Finland study in 2001 which was published in early 2002. ASN.1 is a formal language for abstractly describing messages to be exchanged among an extensive range of applications such as


- Cellular phone, 800-number phone call routing, and Signaling System 7 (SS7)

- Air traffic control systems

- Package tracking

- SCADA systems

- SNMP, LDAP, SSL, and other common protocols

- X.9 financial transaction protocols

- RSA public key cryptographic standards

- T.120, H.323, X.400, and X.500 standards


The flaws in Microsoft's implementation of the ASN.1 encoding rules are a reminder that other software vendors and developers need to continue reviewing their own implementations to ensure that they have not overlooked potential errors and flaws.


In the past few days the ISC was asked if there are ways to detect exploits directed at ASN.1 encoding rule implementation vulnerabilities. The short answer to that question is, "it depends." It depends on the specific code module that has the flaw and the services or applications that depend on it. Any of the applications that depend on the flawed Microsoft .dll file are vulnerable to an exploit, but the form of that exploit will depend on the way the application interacts with the .dll file.



A note to the ladies - Happy Valentine's Day! (Guys - don't forget!)



Marcus H. Sachs

The SANS Institute

Handler on duty


Keywords:
0 comment(s)
Diary Archives