[33660] in bugtraq
Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
daemon@ATHENA.MIT.EDU (Timothy J.Miller)
Thu Feb 12 17:33:24 2004
Mime-Version: 1.0 (Apple Message framework v612)
In-Reply-To: <s029f30d.027@stgeorge.com.au>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <4F66187B-5C9D-11D8-A5F9-00039359BF60@sackheads.org>
Content-Transfer-Encoding: 7bit
From: "Timothy J.Miller" <cerebus@sackheads.org>
Date: Wed, 11 Feb 2004 08:19:31 -0600
To: BUGTRAQ@securityfocus.com
On Feb 10, 2004, at 4:16 PM, Tim Eddy wrote:
> Marc,
>
> If we remove the default exemptions for Kerberos & RSVP from IPSEC with
> the "NoDefaultExempt" registry key, this still passes IKE. Therefore is
> IKE vulnerable to the ASN bug?
Very likely, as IKE data is marshaled into ASN.1 format. The fun part
about ASN.1 is it's so damn useful you tend to use it *everywhere*.
Is anyone else wondering why MS didn't fix this with the last round of
ASN.1 decoding overflow vulnerabilities (remember the SNMP hole)? It's
basically the same problem.
-- Cerebus
