Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Mico crashes when contected with wrong IOR / DoS
From: Karel Gardas <kgardas () objectsecurity com>
Date: Mon, 10 Jul 2006 14:56:14 +0200 (CEST)


I would just like to add some corrections to disclosure below.

On Thu, 6 Jul 2006, tuergeist wrote:

== == == TOC == == ==

1. Affected Vendor
2. Affected Product
3. Vulnerability
4. Safety Hazard
5. Disclosure Timeline
6. Vendor Response
7. Patch / Workaround
8. Vulnerability Details


== 1. Affected Vendor ==
  Object Security

This information is incorrect. ObjectSecurity is not the vendor of the MICO ORB. MICO is a free software project licensed under LGPL/GPL licenses. ObjectSecurity is its long time user and contributor besides lots of other companies and supporters.

== 2. Affected Products ==
  MICO - Mico is CORBA, Open Source ORB
  tested on Version
      and latest from repository
  more infos: http://www.mico.org

== 3. Vulnerability ==
  MICO crashes when contacted with wrong object key (part: orb-id or
  orb-creation time)

Side note: object ID is opaque value, so we do not distinguish any part of
it as orb-id or orb-creation time. Perhaps you get this knowledge from
other ORB, but this is strickly ORB dependent.

== 4. Safety Hazard ==
  critical, potential Denial-of-Service

== 5. Disclosure Timeline ==
  2006-06-27 Problem found and analysed / tested with other versions
  2006-06-29 Vulnerability reported to vendor and MICOs

Unfortunately your email has not come to mico-devel () mico org mailing list
yet. Also if you would like to contact directly ObjectSecurity with some
security issue, please consider using security () objectsecurity com email
address next time.

  2006-07-05 2nd mail to vendor and mailing-list
  2006-07-06 Full disclosure

== 6. Vendor Response ==

== 7. Patch / Workaround ==
  No Patch avaible yet.

Patch is already available and the main MICO download page contains a link to it: http://mico.org/down.html

  possible Workarounds
  a) Don't use MICO in or over public networks
  b) Protect MICO with an (IIOP) firewall

== 8. Vulnerability Details ==
  The following is for educational purposes only!

  Start the orb, you'll crash # Example code
  -> http://wwwstud.informatik.uni-rostock.de/~cb098/mico_bug.tgz
      $ ./server
  scan your target...
      $ sudo nmap -sS -oM results.nmap -p 1-65535 /
          | grep unknown
      8010/tcp  open  unknown
      49576/tcp open  unknown
      51140/tcp open  unknown

  One of these port could be the orb. Lets try to ping
  (object._non_exists()) the last one. For this I'm using a special
  handmade CORBA-Ping-Prog. It's also possible to use JacORBs pingo..
  My JPing is avaible at
      $ java JPing -p corbaloc::
    orb.string_to_object             ... ok
    object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
    vmcid: SUN  minor code: 208 completed: Maybe

Side note: if you test fixed MICO together with your ping utility
running on top of JacORB, you will get COMM_FAILURE exception
too. That's because of a bug in JacORB which tries to use GIOP 1.2
although your corbaloc is defined in the way it should use GIOP
1.0. Also since MICO uses GIOP 1.0 by default it closes connection
immediately after receiving JacORB's GIOP 1.2 message. Anyway this
test runs well with patched MICO and either MICO server using GIOP 1.2
and JacORB or MICO server using default GIOP 1.0 and JDK ORB.

Karel Gardas, Principal Software Engineer, ObjectSecurity Ltd.
St John's Innovation Centre, Cowley Rd., Cambridge CB4 0WS, UK
Tel. +44 1223 420252, Fax. +44 870 762 6041
USA: Tel.+1-800-898-9148, Fax +1-360-933-9591
kgardas () objectsecurity com, www.objectsecurity.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]