[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040217113359.H37199-100000@birmingham-infragard.org>
Date: Tue, 17 Feb 2004 11:34:47 +0000 (GMT)
From: daniel uriah clemens <daniel_clemens@...ism.birmingham-infragard.org>
To: 3APA3A <3APA3A@...URITY.NNOV.RU>
Cc: Gadi Evron <ge@...tistical.reprehensible.net>,
<bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
Zak Dechovich <ZakGroups@...ureol.com>
Subject: Re: [Full-Disclosure] ASN.1 telephony critical infrastructure warning
- VOIP
Here are some more details on various things that use ASN.1
http://asn1.elibel.tm.fr/en/uses/rfc.htm
-Dan
On Tue, 17 Feb 2004, 3APA3A wrote:
> Dear Gadi Evron,
>
> ASN.1 is used by many services, but all use different underlying
> protocols. It's not likely NetMeeting or MS ISA server to be primary
> attack targets. Attack against MS IPSec implementation, Exchange,
> SMB/CIFS, RPC services, IIS and specially IE will no have impact to VoIP
> infrastructure (except connectivity degradation because of massive
> traffic). And these applications are more likely to be attack target.
>
> --Tuesday, February 17, 2004, 6:37:53 PM, you wrote to bugtraq@...urityfocus.com:
>
> GE> I apologize, but I am using these mailing lists to try and contact the
> GE> different */CERT teams for different countries.
>
> GE> As we all know, ASN.1 is a new very easy to exploit vulnerability. It
> GE> attacks both the server and the end user (IIS and IE).
>
> GE> We expect a new massive worm to come out exploiting this vulnerability
> GE> in the next few days.
>
> GE> Why should this all interest you beyond it being the next blaster?
>
> GE> ASN is what VOIP is based on, and thus the critical infrastructure for
> GE> telephony which is based on VOIP.
>
> GE> This may be a false alarm, but you know how worms find their way into
> GE> every network, private or public. It could (maybe) potentially bring the
> GE> system down.
>
> GE> I am raising the red flag, better safe than sorry.
>
> GE> The two email messages below are from Zak Dechovich and myself on this
> GE> subject, to TH-Research (The Trojan Horses Research Mailing List). The
> GE> original red flag as you can see below, was raised by Zak. Skip to his
> GE> message if you like.
>
> GE> Gadi Evron.
>
>
>
> GE> Subject: [TH-research] */CERT people: Critical Infrastructure and ASN.1
> GE> - VOIP [WAS: Re:
> GE> [TH-research] OT: naming the fast approaching ASN.1 worm]
>
> GE> Mail from Gadi Evron <ge@...uxbox.org>
>
> GE> All the */CERT people on the list:
> GE> If you haven't read the post below, please do.
>
> GE> Anyone checked into the critical infrastructure survivability of an ASN
> GE> worm hitting? phone systems could possibly go down. We all know how
> GE> worms find their way into any network, private or otherwise. and VOIP
> GE> systems (which phone systems are based on nowadays) could go down.
>
> GE> Heads-up! Finds them contingency plans.. :o)
>
> GE> Any information would be appreciated, or if you need more information
> GE> from us: +972-50-428610.
>
> GE> Gadi Evron.
>
>
> GE> Zak Dechovich wrote:
>
> >> Mail from Zak Dechovich <ZakGroups@...UREOL.COM>
> >>
> >> May I suggest the following:
> >>
> >> ASN1 is mainly used for the telephony infrastructure (VoIP),
> >> any code that attacks this infrastructure can be assigned with 'VoIP'
> >> prefix, followed by the attacked vendor (cisco, telrad, microsoft, etc.).
> >>
> >> for example, if (when) Microsoft's h323 stack will be attacked, the name
> >> should be VoIP.ms323.<variant>, or if Cisco's gatekeepers will crash,
> GE> lets
> >> call it VoIP.csgk.<variant>
> >>
> >> Your thoughts ?
> >>
> >> Zak Dechovich,
> >>
> >> Zak Dechovich,
> >> Managing Director
> >> SecureOL Ltd.
> >> Mobile: +972 (53) 828 656
> >> Office: +972 (2) 675 1291
> >> Fax: +972 (2) 675 1195
>
> GE> -
> GE> TH-Research, the Trojan Horses Research mailing list.
> GE> List home page: http://ecompute.org/th-list
>
> GE> _______________________________________________
> GE> Full-Disclosure - We believe in it.
> GE> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> --
> ~/ZARAZA
> Ñýð Èñààê Íüþòîí îòêðûë, ÷òî ÿáëîêè ïàäàþò íà çåìëþ. (Òâåí)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
-Moments of Sorrow are Moments of Sobriety
{ o)2059686335 c)2055676850 }
Powered by blists - more mailing lists