Ok, I am a little freaked out by this one. The more I read about it (and so far, that isn’t a lot, but I’m still looking around), the more concerned I become.
This is for Microsoft Security Bulletin MS04-007, “ASN.1 Vulnerability Could Allow Code Execution (828028)”
First off, here is the Technet article on this, with links to get the patch:
http://tinyurl.com/24z6m
Ok, when you read this, it is listed as a Critical problem, and all Windows NT kernel OS’s need to be patched now. The standard buzzwords — buffer overflow, security vulnerability, execute code with system privileges, etc — are all there. But, is it me, or does this one seem to be lacking in some of the detail that other articles have had. It is just a feeling here, that this new article is really glossing over the surface here.
Now, go to the eEye site, the very smart guys who found it, and you can read their 2 advisories on this:
http://www.eeye.com/html/
I have had personal dealings with a couple of the guys at the eEye, and I know they know their stuff! You can read some of the code syntax to perform this exploit. I personally think they may have provided TOO much information!
Anyway, then there is the Bugtraq thread on this:
http://tinyurl.com/3b73s
The 2nd post by Marc Maiffret, the Chief Hacking Officer from the eEye, states the following:
“For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos. We also
have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on… How about evil ASN SSL CERTs? Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for.”
How did they compromise an IPSec-secured network with this??
Am I overly worried here, or is this one potentially destructive? Read up on this. I think this is gonna be bad.