lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <be10f1c50607100819q38639640t8ee92abc44d0a128@mail.gmail.com>
Date: Mon Jul 10 16:19:41 2006
From: tuergeist at googlemail.com (tuergeist)
Subject: Re: Mico crashes when contected with wrong IOR /
	DoS

Hi,

I would just give my 2ct

> I would just like to add some corrections to disclosure below.
>

> > == 1. Affected Vendor ==
> >   Object Security
>
> This information is incorrect. ObjectSecurity is not the vendor of the
> MICO ORB. MICO is a free software project licensed under LGPL/GPL
> licenses. ObjectSecurity is its long time user and contributor besides
> lots of other companies and supporters.
Ok. Commercially supported by the CORBA specialists: Object Security.
However, look @ point 2 "Open Source ORB". I think it was clear.

> > == 3. Vulnerability ==
> >   MICO crashes when contacted with wrong object key (part: orb-id or
> >   orb-creation time)
>
> Side note: object ID is opaque value, so we do not distinguish any part of
> it as orb-id or orb-creation time. Perhaps you get this knowledge from
> other ORB, but this is strickly ORB dependent.
Yes. I know, object ID is opaque value. But I took a look into the
sources - I was only to give extra information.

> > == 4. Safety Hazard ==
> >   critical, potential Denial-of-Service
> >
> > == 5. Disclosure Timeline ==
> >   2006-06-27 Problem found and analysed / tested with other versions
> >   2006-06-29 Vulnerability reported to vendor and MICOs
> >                devel-mailing-list
>
> Unfortunately your email has not come to mico-devel@...o.org mailing list
> yet. Also if you would like to contact directly ObjectSecurity with some
> security issue, please consider using security@...ectsecurity.com email
> address next time.
>
At 29.06.2006 12:43 CEST I wrote you AND mico-devel, but my "message
to Mico-devel awaits moderator approval" - This is definitely NOT my
problem.

> > == 7. Patch / Workaround ==
> >   No Patch avaible yet.
>
> Patch is already available and the main MICO download page contains a link
> to it: http://mico.org/down.html
Was not at time of full-disclosure. I updated this, when update was avaible.

> >       $ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
> >     orb.string_to_object             ... ok
> >     object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
> >     vmcid: SUN  minor code: 208 completed: Maybe
>
> Side note: if you test fixed MICO together with your ping utility
> running on top of JacORB, you will get COMM_FAILURE exception
> too. That's because of a bug in JacORB [...]
As you can see, I am not using JacORB, I am not related to JacORB or
sth. else. In this example I used the SUN JDK ORB. Read, think,
answer. I wrote "It's also possible to use JacORBs pingo.." "also" in
this case doesn't mean "exactly"

The point wasn't what my client said - the point was, that mico crashed!!!

regarding JacORB: report it to the JacORB community, not to me.

Regards,
 Christoph

p.s. The other way is not to contact you or full disclosure but
selling the information. So, don't look back in anger.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ