J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Microsoft Windows ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability

Severity: CRITICAL

Description:

Microsoft Windows Abstract Syntax Notation 1 (ASN.1) handling Library (MSASN1.dll) is shipped as a part of the Microsoft Windows Operating System. The MSASN1 library provides an application programmer's interface into Microsoft ASN.1 encoding/decoding and processing functions.

Microsoft ASN.1 handling library has been reported prone to a heap corruption vulnerability. The issue presents itself in the ASN.1 bit string decoding routines, specifically the BERDecBitString() function. The issue manifests when the affected function attempts to process a constructed bit string that contain another nested constructed bit string.

Specifically, when the vulnerable function encounters the initial bit string, the length of the bit string is determined, and a chunk of memory is allocated to temporarily store the bit string. This chunk is mapped by 'bitbuf2->ptr'. The function 'realloc(bitbuf->ptr, 8)' is then called. Because the passed 'bitbuf->ptr' argument is NULL, a new chunk is allocated and mapped to 'bitbuf->ptr'. The bit string data is then copied from the 'bitbuf2->ptr' chunk to the 'bitbuf->ptr' chunk and the 'bitbuf2->ptr' chunk is freed.

The nested bit string is then encountered and the process begins again. Unfortunately, 'bitbuf->ptr' is not initialized and contains a pointer to freed memory at this point. The nested bit string is copied into an allocated chunk that is again mapped by 'bitbuf2->ptr'. The 'realloc(bitbuf->ptr, 8)' function is also again called, however, the 'bitbuf->ptr' contains a pointer to freed memory. This causes the 'NtReallocateHeap()' function to return its argument instead of an error and the software believes that a new chunk has been successfully allocated. In reality, because 'bitbuf->ptr' points to the start of a freed chunk of memory, the subsequent memory copy operation of the nested bit string data to the free chunk, corrupts the first eight bytes of the freed memory chunk with the nested bit string data.

This memory corruption may be further leveraged by an attacker to arbitrarily control execution flow of the affected library. Ultimately this may result in the execution of attacker-supplied code with SYSTEM privileges.

This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. Client applications, which use the library, will be affected, including LSASS.EXE and CRYPT32.DLL (and any application that relies on CRYPT32.DLL). The vulnerable library is used frequently in components that handle certificates such as Internet Explorer and Outlook. Handling of signed ActiveX components could also present an exposure.

It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable.

Issues related to this vulnerability were originally covered in BID 9626 and 9743, further information has been made available which identifies that this is a distinct vulnerability in the library and so this specific issue has been assigned an individual BID.

** June 5, 2005 Update: An IRC bot style tool may be exploiting this vulnerability. This alert will be updated as further information becomes available.

Affected Products:

  • AOL Instant Messenger 5.0.2938
  • AOL Instant Messenger 5.1.3036
  • AOL Instant Messenger 5.2.3292
  • AOL Instant Messenger 5.5.3415 Beta
  • Adobe Acrobat 5.0.0
  • Adobe Acrobat 5.0.5
  • Adobe Acrobat 6.0.0
  • Altova xmlspy Enterprise Edition 2004
  • Altova xmlspy Enterprise Edition 2004 R2
  • Altova xmlspy Home Edition 2004
  • Altova xmlspy Home Edition 2004 R2
  • Altova xmlspy Professional Edition 2004
  • Altova xmlspy Professional Edition 2004 R2
  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Intuit Quicken 2003
  • Intuit TurboTax 2003
  • JASC Software PaintShop Pro 5.0.0
  • JASC Software PaintShop Pro 5.0.0 1
  • JASC Software PaintShop Pro 5.0.0 3
  • JASC Software PaintShop Pro 6.0.0
  • JASC Software PaintShop Pro 6.0.0 1
  • JASC Software PaintShop Pro 6.0.0 2
  • JASC Software PaintShop Pro 7.0.0
  • JASC Software PaintShop Pro 7.0.0 1
  • JASC Software PaintShop Pro 7.0.0 2
  • JASC Software PaintShop Pro 7.0.0 4
  • JASC Software PaintShop Pro 8.0.0 0
  • JASC Software PaintShop Pro 8.0.0 1
  • JASC Software PaintShop Pro 8.10.0
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows 2000 Terminal Services
  • Microsoft Windows 2000 Terminal Services SP1
  • Microsoft Windows 2000 Terminal Services SP2
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 SP1
  • Microsoft Windows NT Server 4.0 SP2
  • Microsoft Windows NT Server 4.0 SP3
  • Microsoft Windows NT Server 4.0 SP4
  • Microsoft Windows NT Server 4.0 SP5
  • Microsoft Windows NT Server 4.0 SP6
  • Microsoft Windows NT Server 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0
  • Microsoft Windows NT Terminal Server 4.0 SP1
  • Microsoft Windows NT Terminal Server 4.0 SP2
  • Microsoft Windows NT Terminal Server 4.0 SP3
  • Microsoft Windows NT Terminal Server 4.0 SP4
  • Microsoft Windows NT Terminal Server 4.0 SP5
  • Microsoft Windows NT Terminal Server 4.0 SP6
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Workstation 4.0 SP1
  • Microsoft Windows NT Workstation 4.0 SP2
  • Microsoft Windows NT Workstation 4.0 SP3
  • Microsoft Windows NT Workstation 4.0 SP4
  • Microsoft Windows NT Workstation 4.0 SP5
  • Microsoft Windows NT Workstation 4.0 SP6
  • Microsoft Windows NT Workstation 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP 64-bit Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Home
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1
  • Musicmatch Inc. Musicmatch Jukebox 8.0.0
  • Musicmatch Inc. Musicmatch Jukebox 8.1.0
  • Musicmatch Inc. Musicmatch Jukebox 8.2.0
  • Van Dyke Technologies SecureCRT 4.0.1
  • Van Dyke Technologies SecureCRT 4.0.2
  • Van Dyke Technologies SecureCRT 4.0.3
  • Van Dyke Technologies SecureCRT 4.0.4
  • Van Dyke Technologies SecureCRT 4.0.5
  • Yahoo! Messenger 5.5.0
  • Yahoo! Messenger 5.5.0 .1249
  • Yahoo! Messenger 5.6.0
  • Yahoo! Messenger 5.6.0 .0.1347
  • Yahoo! Messenger 5.6.0 .0.1351
  • Yahoo! Messenger 5.6.0 .0.1355
  • Yahoo! Messenger 5.6.0 .0.1356
  • Yahoo! Messenger 5.6.0 .0.1358

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.