General discussion

Locked

ANS.1 Windows Vulnerability Released

By Joseph Moore ·
Ok, I am a little freaked out by this one. The more I read about it (and so far, that isn't a lot, but I'm still looking around), the more concerned I become.

This is for Microsoft Security Bulletin MS04-007, "ASN.1 Vulnerability Could Allow Code Execution (828028)"

First off, here is the Technet article on this, with links to get the patch:
http://tinyurl.com/24z6m

Ok, when you read this, it is listed as a Critical problem, and all Windows NT kernel OS's need to be patched now. The standard buzzwords -- buffer overflow, security vulnerability, execute code with system privileges, etc -- are all there. But, is it me, or does this one seem to be lacking in some of the detail that other articles have had. It is just a feeling here, that this new article is really glossing over the surface here.

Now, go to the eEye site, the very smart guys who found it, and you can read their 2 advisories on this:
http://www.eeye.com/html/

I have had personal dealings with a couple of the guys at the eEye, and I know they know their stuff! You can read some of the code syntax to perform this exploit. I personally think they may have provided TOO much information!

Anyway, then there is the Bugtraq thread on this:
http://tinyurl.com/3b73s

The 2nd post by Marc Maiffret, the Chief Hacking Officer from the eEye, states the following:
"For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos. We also
have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on... How about evil ASN SSL CERTs? Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for."

How did they compromise an IPSec-secured network with this??

Am I overly worried here, or is this one potentially destructive? Read up on this. I think this is gonna be bad.

This conversation is currently closed to new comments.

20 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

My analysis of MSASN1.DLL

by Joseph Moore In reply to ANS.1 Windows Vulnerabili ...

So, I just spent the past couple of hours experimenting with this. I've been running
FILEMON, the file process usage utility from Sysinternals. This tool tells you what files
are accessed by other files. Very useful little tool to have. You can see exactly what
files are access by applications, including DLLs.

I started up my XP Pro laptop, and started monitoring it with FILEMON. I ran a filter,
just looking for MSASN1.DLL, which is the file with the problem that the eEye exploited
for this.

And boy howdy! Here is what I found.

In the Microsoft and eEye articles on this, they state that Internet Explorer, Outlook, and Outlook Express all call this file, so they could, in theory, all can be used as attack vectors. From my own testing, this is true. When you start up those programs, they ALL call MSASN1.DLL.

So, if a virus was sent via e-mail, then it could trigger this exploit. I can see that.

For example, I had IE open, then I opened a 2nd instance of IE, and the MSASN1.DLL file was called again. It looks like if multiple instances of IE are opened, then this file gets called multiple times.

Therefore, could someone make one of those "malformed URLs" to trigger this? Click the link on a webpage, and WHAMMO!!!???

MSN Messenger called the file when I started it; actually, when OE opened, it started MSN Mesenger (msmsgs.exe), which called the DLL. I did not chat with anyone to see if the file was called again after start, so I don't know if MSN Messenger uses it after you start it. But it did call it.

Our friend, SVCHOST.EXE, called the file a lot! This explains the port 139 and 445 references in the eEye notices. I was not able to test inbound port 139/445 functionality, though. But, since the Windows File and Print Sharing is ran by SVCHOST, that is probably why the eEye listed it. Also, other apps that use SVCHOST.EXE only listed the SVCHOST calling the DLL file, like MMC snap-ins. So, the snap-ins did not register a hit for themselves, just in SVCHOST.

I wonder, therefore, if RCP (port 135) could also be vulnerable, but I didn't try and test that functionality.

Other stuff I found that I have not seen listed anywhere so far:

WMIPRVSE.EXE called the file. This file is used by XP and Win2K3 to handle the WMI functionality (Windows Management Instrumentation, I believe). I ran into this one just by running TASKLIST.EXE, which uses WMI to work. It would be interesting to see on a Win2K box (which runs all WMI processes under the WINMGMT.EXE process only; XP now breaks them out into the 2 processes). So, since TASKLIST, which is a WMI process, caused WMIPRVSE.EXE to call the DLL, then I guess other WMI process/functions would do the same on XP and Win2K3. This worries me. What if the virus was in WMI script, and transmitted and ran on a target system. WMI script can be ran against remote machines that support WMI! So, you would not need to have the virus file physically on the machine. It could be a Blaster-type virus/worm them that used WMI to infect and propagate!

Also, when I ran .VBS scripts, my XP machine is set to run them under CSCRIPT.EXE, the default VP interpreter. Yes, CSCRIPT.EXE called the DLL. So, a .VBS file could also cause this exploit to happen (if they use CSCRIPT.EXE to run under), and VBS files can also be ran against remote targets.

The Bliss screensaver for XP, which you can get from the Microsoft website, called the file (BLISS.SCR). Really! A screen saver file! This was the only one I had that did that.

One that tripped me out was IPCONFIG.EXE! Yep! Do an IPCONFIG, and it will actually call this DLL file! Why, I don't want to figure out why, but it did every time for me.

Now, a few non-Windows apps. First, there was Real One Player! One of its processes is "realsched.exe" which is the process that can always run and give you those annoying popups every once in a while when there is a new news notice from the Real company. You know, those obnoxious little popup windows that says to upgrade Real One to a new version, or there is some new content for the Real ONe Player. Well, "realsched.exe" calls "realevent.exe", which calls this DLL. So, if Real One Player loads, these two EXE files are loaded, which calls the DLL. So, it seems then that if someone sent a file that caused Real One Player to load, it could trigger this exploit!

Symantec Antivirus Corporate Edition 8.0 client did not call the DLL, but when I opened the Symante LiveUpdate applet in the Control Panel, that did call it (from LUCOMS~1.exe). So, LiveUpdate needs the DLL, and I guess could, in some way, help spread the exploit. I have the latest LiveUpdate installed (Symantec just updated it in January 2004).

And one that might not be anything to worry about is ZoneAlarm. My copy of ZA had a single hit for the DLL. The info column reads "FileBothDirectoryInformation: MSASN1.DLL" for ZAPRO.EXE, which is ZoneAlarm. Now, I am not sure if the DLL tried to access the Internet, and ZA recorded just this one file access, or what exactly. I did not see any other ZA hits for the file, but I only ran ZA for about 5 minutes. So, I am not sure if this is important or not. Interesting, though.

Lastly, Ad-aware hit the DLL file when I did a system scan, but I think it was only CHECKING the file to see if it had been replaced by a spyware file.

So, that is all I found. Some things I tried that did not call the DLL file surprised me. I could not get IE to hit the DLL file when I went to SSL-secured web pages. Windows Media Player (with protected content .WMV files) did not call it, nor did Winamp5. No Office 2000 products (other than Outlook) triggered the DLL. Quicktime player was safe. Lotus Notes client did not call the DLL. Quicken 2002 was good! Citrix ICA client was clean.

Now, this is by no means any type of scientific list. I just ran FILEMON for a couple of hours and opened everything I could think of, and just read through the file list. Other people should look into this, and see what they get. There are a lot of programs out there that I don't have, that others do, and we should see what calls this file and what doesn't.

I did all this tonight, because I am really worried about this. The notices said that if something calls MSASN1.DLL, then it can be used to exploit MSASN1.DLL with a buffer overflow, which could then let the attacker do whatever they want (ala Blaster). But with this one, there isn't just one port that could be attacked. Multiple ways of doing this, with multiple applications that can be attacked. Different scripting types. The articles do mention that SSL can be used to attack (in theory).

To me, this one seems to be worse IN THEORY then Blaster's attack.

I am testing the patch out on a few machines Wednesday, just to make sure it is a good patch. I plan on getting my DMZ machines on with the patch on Friday, then other machines the following week. It will probably take a while before the virus/worm is released to attack this one. Blaster took 3 weeks to hit, from patch release to virus release. I am hoping for a similar timeframe on this.

Just wanted to post this to let everyone know. It's past 1AM now. Time to call it a day.

One last thing: I am not a programmer. Keep this in mind. But I like to think I know a few things on how Windows works!

Collapse -

Real One Player probably not that bad

by Joseph Moore In reply to My analysis of MSASN1.DLL

Ok, I thought about this last night (didn't sleep well, due to this new problem), and I realized that Real One Player is probably safe. Since REALPLAY.EXE is the application that is launched when you start Real One Player, and that exe calls REALSCHED.EXE, which then calls REALEVENT.EXE (which is the app that calls the DLL with the problem), then I really don't think a "malformed" Real Audio file could trigger an exploit. I was afraid a .RAM file could pass the buffer overflow to REALEVENT.EXE (which would send it to the DLL, which would trigger the exploit), but I don't think that is possible.
Since there is no direct link to REALEVENT.EXE from REALPLAY.EXE, how could a bad .RAM file exploit this? I can't see how.
Am I visualizing this incorrectly, or what? What do you all think?

Collapse -

Here is what I have:

by voldar In reply to My analysis of MSASN1.DLL

Although I found this .dll in two places under a W2K Pro system, and in one place under W2K Server system, when I tryed to make the same thing you did (use filemon.exe and then check for this specified dll using filters) guess what? IE did not use this dll, nor Outlook Express or Outlook.
Strange, or ... what?
I have Service Pack 4 installed, and I don't have the last updates. Anyway, I will check further more.

Collapse -

About Ad-Aware

by voldar In reply to Here is what I have:

I think you are right, after starting Ad-Aware I found an entry record about this DLL, but I don't think is more than you suspect. I have a "system8: IRP_MJ_CLOSE c:\winnt\servicepacks\i386\msasn1.dll" record. And that's all I have.

Collapse -

Back again :)

by voldar In reply to About Ad-Aware

I forgot to mention: I have service pack 4 on my W2K Pro machine. As the eEye states in his document about "Microsoft ASN.1 Library Length Overflow Heap Corruption", the W2K systems affected are SP3 and below.

Collapse -

Good Catch - see article

by Oldefar In reply to ANS.1 Windows Vulnerabili ...
Collapse -

Great information

by maxwell edison In reply to ANS.1 Windows Vulnerabili ...

.
This is some great information, Joseph. Thanks for posting it. You're always right on top of these Windows security issues.

By the way, it's interesting that there are so few replies to this. Perhaps if the title of the thread was, "George Bush Caused Windows Security Problem", it would generate more interest.

Collapse -

THE END OF THE WORLD!!!!!

by Joseph Moore In reply to Great information

Max, I was wondering about that, why the lack of notice on this.
I am worried about this one. I've seen a post by the guys from F-Secure, saying not to freak out on this. Well, sorry, but I specialize in freaking out!
I'm worried. Really.

Collapse -

Quick Fix

by GuruOfDos In reply to Great information

I looked for the dll and found 3 copies on my XP Pro system. Just for gag value, I renamed them all to msasn1.bak and guess what...

I rebooted the computer...and it made no difference!!! IE still works, OE still works, Office still works, Winamp, WMP and everything still works. No problems, no errors, no nothing!

So....rename it and no problems!! When Microsoft actually TELL us what the DLL is for, mebbe I'll rename it back again!

Collapse -

Quick Fix

by GuruOfDos In reply to Great information

I looked for the dll and found 3 copies on my XP Pro system. Just for gag value, I renamed them all to msasn1.bak and guess what...

I rebooted the computer...and it made no difference!!! IE still works, OE still works, Office still works, Winamp, WMP and everything still works. No problems, no errors, no nothing!

So....rename it and no problems!! When Microsoft actually TELL us what the DLL is for, mebbe I'll rename it back again!

Back to IT Employment Forum
20 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums