[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040213060431.GA7432@panix.com>
Date: Fri, 13 Feb 2004 01:04:31 -0500
From: Thor Lancelot Simon <tls@....tjls.com>
To: bugtraq@...urityfocus.com
Subject: Re: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
On Wed, Feb 11, 2004 at 10:10:32AM +0100, Rainer Gerhards wrote:
>
> As of my understanding (I haven't tried to reproduce, just theory here),
> ASN.1 is not only used for AD, but also for NTLM authentication. Even if
> that is not the case, there are several cases where ASN.1 is used. And
> "invoking BER decoding capabilities" (from the MS Advisory) may sound
> like something seldomly done... In fact, if you receive ASN.1 on the
> wire, you need to decode BER because this is the way you get hold of the
> message content. It is the same thing as "decoding the SMTP message" is
That's not actually correct. Most network protocols use the
"Distinguished Encoding Rules" (DER) not the "Basic Encoding Rules"
(BER). BER is an abomination and should never, ever have been in
the standard; the only protocol commonly used over IP that uses BER
is LDAP, because it descends from DAP, which used BER.
So you can't reasonably assume that if it uses ASN.1, it uses
BER. That's presumably why Microsoft left certain ASN.1-using
network services turned on.
Thor
Powered by blists - more mailing lists