[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0607101921400.3835@silence.gardas.net>
Date: Mon Jul 10 21:11:11 2006
From: kgardas at objectsecurity.com (Karel Gardas)
Subject: Re: Mico crashes when contected with wrong IOR /
DoS
Hi Christoph,
I'm not angry at all and I hope you are neither. Thank you for taking time
and provide us with nice way how to duplicate the issue. Also to give us
time to fix it before full disclosure which has not been used due to
communication/organization issues. Anyway, points taken, we (MICO
community) should provide single email address for all vulnerability
reports. I've added JacORB notes in my original reply since I've thought
you were also testing the issue with JacORB, perhaps I've read this in
some of your files.
Thanks,
Karel
On Mon, 10 Jul 2006, tuergeist wrote:
> Hi,
>
> I would just give my 2ct
>
>> I would just like to add some corrections to disclosure below.
>>
>
>> > == 1. Affected Vendor ==
>> > Object Security
>>
>> This information is incorrect. ObjectSecurity is not the vendor of the
>> MICO ORB. MICO is a free software project licensed under LGPL/GPL
>> licenses. ObjectSecurity is its long time user and contributor besides
>> lots of other companies and supporters.
> Ok. Commercially supported by the CORBA specialists: Object Security.
> However, look @ point 2 "Open Source ORB". I think it was clear.
>
>> > == 3. Vulnerability ==
>> > MICO crashes when contacted with wrong object key (part: orb-id or
>> > orb-creation time)
>>
>> Side note: object ID is opaque value, so we do not distinguish any part of
>> it as orb-id or orb-creation time. Perhaps you get this knowledge from
>> other ORB, but this is strickly ORB dependent.
> Yes. I know, object ID is opaque value. But I took a look into the
> sources - I was only to give extra information.
>
>> > == 4. Safety Hazard ==
>> > critical, potential Denial-of-Service
>> >
>> > == 5. Disclosure Timeline ==
>> > 2006-06-27 Problem found and analysed / tested with other versions
>> > 2006-06-29 Vulnerability reported to vendor and MICOs
>> > devel-mailing-list
>>
>> Unfortunately your email has not come to mico-devel@...o.org mailing list
>> yet. Also if you would like to contact directly ObjectSecurity with some
>> security issue, please consider using security@...ectsecurity.com email
>> address next time.
>>
> At 29.06.2006 12:43 CEST I wrote you AND mico-devel, but my "message
> to Mico-devel awaits moderator approval" - This is definitely NOT my
> problem.
>
>> > == 7. Patch / Workaround ==
>> > No Patch avaible yet.
>>
>> Patch is already available and the main MICO download page contains a link
>> to it: http://mico.org/down.html
> Was not at time of full-disclosure. I updated this, when update was avaible.
>
>> > $ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
>> > orb.string_to_object ... ok
>> > object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
>> > vmcid: SUN minor code: 208 completed: Maybe
>>
>> Side note: if you test fixed MICO together with your ping utility
>> running on top of JacORB, you will get COMM_FAILURE exception
>> too. That's because of a bug in JacORB [...]
> As you can see, I am not using JacORB, I am not related to JacORB or
> sth. else. In this example I used the SUN JDK ORB. Read, think,
> answer. I wrote "It's also possible to use JacORBs pingo.." "also" in
> this case doesn't mean "exactly"
>
> The point wasn't what my client said - the point was, that mico crashed!!!
>
> regarding JacORB: report it to the JacORB community, not to me.
>
> Regards,
> Christoph
>
> p.s. The other way is not to contact you or full disclosure but
> selling the information. So, don't look back in anger.
>
--
Karel Gardas kgardas@...ectsecurity.com
ObjectSecurity Ltd. http://www.objectsecurity.com
Powered by blists - more mailing lists