Microsoft ASN.1 Library Length Integer Mishandling Memory Corruption Vulnerability
BID:9633
Info
Microsoft ASN.1 Library Length Integer Mishandling Memory Corruption Vulnerability
| Bugtraq ID: | 9633 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2003-0818 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 10 2004 12:00AM |
| Updated: | Jul 12 2009 02:06AM |
| Credit: | Discovery of this vulnerability has been credited to eEye Digital Security. |
| Vulnerable: |
Yahoo! Messenger 5.6 .0.1358 Yahoo! Messenger 5.6 .0.1356 Yahoo! Messenger 5.6 .0.1355 Yahoo! Messenger 5.6 .0.1351 Yahoo! Messenger 5.6 .0.1347 Yahoo! Messenger 5.6 VanDyke SecureCRT 4.0.5 VanDyke SecureCRT 4.0.4 VanDyke SecureCRT 4.0.3 VanDyke SecureCRT 4.0.2 VanDyke SecureCRT 4.0.1 VanDyke SecureCRT 3.4.8 VanDyke SecureCRT 3.4.7 VanDyke SecureCRT 3.4.6 VanDyke SecureCRT 3.4.5 VanDyke SecureCRT 3.4.4 VanDyke SecureCRT 3.4.3 VanDyke SecureCRT 3.4.2 VanDyke SecureCRT 3.4.1 VanDyke SecureCRT 3.4 VanDyke SecureCRT 3.3.4 VanDyke SecureCRT 3.3.3 VanDyke SecureCRT 3.3.2 VanDyke SecureCRT 3.3.1 VanDyke SecureCRT 3.3 VanDyke SecureCRT 3.2.2 VanDyke SecureCRT 3.2.1 VanDyke SecureCRT 3.2 VanDyke SecureCRT 3.1.2 VanDyke SecureCRT 3.1.1 VanDyke SecureCRT 3.1 VanDyke SecureCRT 3.0 VanDyke SecureCRT 2.4 Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP 64-bit Edition Version 2003 SP1 Microsoft Windows XP 64-bit Edition Version 2003 Microsoft Windows XP 64-bit Edition SP1 Microsoft Windows XP 64-bit Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows 98SE Microsoft Windows 98 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server Microsoft Small Business Server 2000 0 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft IIS 6.0 Microsoft IIS 5.1 Microsoft IIS 5.0 Microsoft Exchange Server 2003 Microsoft Exchange Server 2000 SP3 Microsoft Exchange Server 2000 SP2 Microsoft Exchange Server 2000 SP1 Microsoft Exchange Server 2000 Intuit Quicken 2003 AOL Instant Messenger 5.2.3292 AOL Instant Messenger 5.1.3036 AOL Instant Messenger 5.0.2938 |
| Not Vulnerable: | |
Discussion
Microsoft ASN.1 Library Length Integer Mishandling Memory Corruption Vulnerability
A vulnerability has been reported in the Microsoft ASN.1 library. This issue is related to insufficient checking of data supplied via an externally supplied length field in ASN.1 BER encoded data. This could result in an excessive value being used in a heap allocation routine, allowing for large amounts of heap memory to be corrupted. This could be leveraged to corrupt sensitive values in memory, resulting in execution of arbitrary code.
This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time.
It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable.
A vulnerability has been reported in the Microsoft ASN.1 library. This issue is related to insufficient checking of data supplied via an externally supplied length field in ASN.1 BER encoded data. This could result in an excessive value being used in a heap allocation routine, allowing for large amounts of heap memory to be corrupted. This could be leveraged to corrupt sensitive values in memory, resulting in execution of arbitrary code.
This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time.
It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable.
Exploit / POC
Microsoft ASN.1 Library Length Integer Mishandling Memory Corruption Vulnerability
It has been reported that the discoverers of this vulnerability have developed a proof-of-concept exploit. This exploit is not publicly available nor believed to be circulating in the wild.
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
It has been reported that the discoverers of this vulnerability have developed a proof-of-concept exploit. This exploit is not publicly available nor believed to be circulating in the wild.
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
Solution / Fix
Microsoft ASN.1 Library Length Integer Mishandling Memory Corruption Vulnerability
Solution:
It has been alleged that an official patch to address this issue in Microsoft Windows 98 systems is available to customers who possess a current support contract with Microsoft. Customers are advised to contact their relative Microsoft TAM, in order to obtain a relevant patch.
Microsoft has released a security update (MS04-007) to address this issue in affected versions of Microsoft Windows. Users are strongly advised to obtain fixes as soon as possible.
Avaya has released an advisory to address this and another issue. Please see the advisory at the following location for more information:
http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=159748&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows XP Professional
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows 2000 Professional SP2
Microsoft Windows Server 2003 Web Edition
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows XP Home
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows 2000 Server SP3
Solution:
It has been alleged that an official patch to address this issue in Microsoft Windows 98 systems is available to customers who possess a current support contract with Microsoft. Customers are advised to contact their relative Microsoft TAM, in order to obtain a relevant patch.
Microsoft has released a security update (MS04-007) to address this issue in affected versions of Microsoft Windows. Users are strongly advised to obtain fixes as soon as possible.
Avaya has released an advisory to address this and another issue. Please see the advisory at the following location for more information:
http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=159748&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()
Microsoft Windows 2000 Server SP2
-
Microsoft Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2 -4797-A8C6-A2E663A53698&displaylang=en
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2 -4797-A8C6-A2E663A53698&displaylang=en
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Security Update for Windows NT Server 4.0: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=E8315430-90CD -4B20-8F54-58527932B588&displaylang=en
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
-
Microsoft Security Upd for Windows Server 2003 64-bit Edition/Windows XP 64-bit Edition Version 2003:KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1 -4B5F-958F-E178C3F61F7C&displaylang=en
Microsoft Windows NT Terminal Server 4.0 SP6
-
Microsoft Security Update for Windows NT Server Terminal Server Edition: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=D83B39D3-FF13 -4D0B-B406-A225AED0D659&displaylang=en
Microsoft Windows Server 2003 Standard Edition
-
Microsoft Security Update for Windows Server 2003: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497 -42FF-90E7-283732B2E117&displaylang=en
Microsoft Windows XP Professional
-
Microsoft Security Update for Windows XP: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE -48E9-ACD0-1343D89CCBBA&displaylang=en
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
-
Microsoft Security Upd for Windows Server 2003 64-bit Edition/Windows XP 64-bit Edition Version 2003:KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1 -4B5F-958F-E178C3F61F7C&displaylang=en
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Security Update for Windows NT Workstation 4.0: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=92400199-B3D5 -4826-98D4-F134849F5249&displaylang=en
Microsoft Windows XP 64-bit Edition SP1
-
Microsoft Security Update for Windows XP 64-Bit Edition: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=383C397F-9318 -4AD5-9C2C-0577118A1E68&displaylang=en
Microsoft Windows Server 2003 Datacenter Edition
-
Microsoft Security Update for Windows Server 2003: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497 -42FF-90E7-283732B2E117&displaylang=en
Microsoft Windows 2000 Advanced Server SP4
-
Microsoft Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2 -4797-A8C6-A2E663A53698&displaylang=en
Microsoft Windows 2000 Professional SP3
-
Microsoft Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2 -4797-A8C6-A2E663A53698&displaylang=en
Microsoft Windows Server 2003 Enterprise Edition
-
Microsoft Security Update for Windows Server 2003: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497 -42FF-90E7-283732B2E117&displaylang=en
Microsoft Windows 2000 Professional SP2
-
Microsoft Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2 -4797-A8C6-A2E663A53698&displaylang=en
Microsoft Windows Server 2003 Web Edition
-
Microsoft Security Update for Windows Server 2003: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497 -42FF-90E7-283732B2E117&displaylang=en
Microsoft Windows 2000 Advanced Server SP3
-
Microsoft Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2 -4797-A8C6-A2E663A53698&displaylang=en
Microsoft Windows XP Home
-
Microsoft Security Update for Windows XP: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE -48E9-ACD0-1343D89CCBBA&displaylang=en
Microsoft Windows XP Home SP1
-
Microsoft Security Update for Windows XP: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE -48E9-ACD0-1343D89CCBBA&displaylang=en
Microsoft Windows XP 64-bit Edition Version 2003 SP1
-
Microsoft Security Upd for Windows Server 2003 64-bit Edition/Windows XP 64-bit Edition Version 2003:KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1 -4B5F-958F-E178C3F61F7C&displaylang=en
Microsoft Windows 2000 Server SP3
-
Microsoft Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2 -4797-A8C6-A2E663A53698&displaylang=en
References
Microsoft ASN.1 Library Length Integer Mishandling Memory Corruption Vulnerability
References:
References:
- IIS ASN.1 Bit String SPNEGO exploit (CORE Security)
- Microsoft Security Bulletin MS04-007 (Microsoft)
- VU#216324 - Microsoft ASN.1 Library improperly decodes malformed ASN.1 length va (CERT/CC)
- ASN.1 vulnerability -is- on Win98 ("Joshua Levitsky"
) - EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption ("Marc Maiffret"
)