Bugtraq mailing list archives
RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
From: <peter.huang () ossecurity ca>
Date: Wed, 11 Feb 2004 19:53:51 -0500
From the MS04-07 bulletin, Windows 9x is not mentioned. Someone has asked
whether Windows 98 is vulnerable to this attack or not. It could be that Windows 98/ME are vulnerable to this attack through the installation of Office suite. The following link refers to the msasn1.dll on Windows ME. But, Windows ME is not included in the security bulletin on Microsoft website. Then, the question is whether Windows ME is vulnerable to this attack? http://216.239.41.104/search?q=cache:bi0p-l5diJ4J:24.229.94.2/crypt32_import s.html+ASN1BERDecOctetString&hl=en&ie=UTF-8 Below are a snapshot for usage of MSASN1.DLL. What a "monoculture vulnerability" as far as the DLL base address is concerned! ======================== On Windows NT: 30 Module: 6af00000: C:\WINNT\System32\MSAsn1.DLL for E:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE On Windows 2K: 30 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for \??\F:\WIN2K\SYSTEM32\WINLOGON.EXE 58 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\SERVICES.EXE 16 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\LSASS.EXE 47 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\SPOOLSV.EXE 56 Module: 77430000: f:\win2k\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\SVCHOST.EXE 40 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\PROGRA~1\MICROS~3\MSSQL\BINN\SQLSERVR.EXE 26 Module: 77430000: F:\WIN2K\system32\MSASN1.DLL for F:\WIN2K\SYSTEM32\INETSRV\INETINFO.EXE 11 Module: 77430000: F:\WIN2K\System32\MSASN1.DLL for F:\WIN2K\SYSTEM32\MQSVC.EXE On Windows XP: 11 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for \??\C:\WINDOWS\SYSTEM32\WINLOGON.EXE 15 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\SYSTEM32\LSASS.EXE 39 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\SYSTEM32\SVCHOST.EXE 20 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\SYSTEM32\SVCHOST.EXE 24 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\SYSTEM32\SPOOLSV.EXE 40 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\EXPLORER.EXE 34 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE 29 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\WINDOWS\HH.EXE 67 Module: 762a0000: C:\WINDOWS\system32\MSASN1.dll for C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\ACROBAT\ACROBAT.EXE ======================== So, it seems that potential exploit of this vulnerability can be direct like DCOM-RPC or through emails or even PDF files? Peter Huang http://www.ossecurity.ca/ MyDoom, YourDoom, are we all doomed?
-----Original Message----- From: Marc Maiffret [mailto:mmaiffret () eeye com] Sent: Tuesday, February 10, 2004 3:47 PM To: Tina Bird Cc: Joe Blatz; BUGTRAQ () securityfocus com Subject: RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Yes, I am not sure what Microsoft did with the wording there that seems to be misleading to at least a few people so far.
Current thread:
- EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Marc Maiffret (Feb 10)
- <Possible follow-ups>
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Joe Blatz (Feb 10)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Marc Maiffret (Feb 10)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Tina Bird (Feb 10)
- Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption James Riden (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Marc Maiffret (Feb 10)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption peter.huang (Feb 12)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Tim Eddy (Feb 10)
- Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Peter Pentchev (Feb 12)
- Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Timothy J . Miller (Feb 12)
- Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Florian Weimer (Feb 16)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Rainer Gerhards (Feb 10)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Tina Bird (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Alun Jones (Feb 11)
- RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Rainer Gerhards (Feb 11)
- Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Steve Friedl (Feb 12)
- Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption Thor Lancelot Simon (Feb 13)
(Thread continues...)