Yes, this time in Squid. I've been following security bugs in ASN.1 parsers for some time now, as it seems to be a common bug, owing to the complexity of parsing complex structures like ASN.1.
By my count, 18 or so security updates have been issued in the last two years relating to ASN.1 parsing:
Squid Web Proxy Cache Remote Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=152 Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 productshttp://icat.nist.gov/icat.cfm?cvename=CAN-2004-0699 MIT krb5: Multiple vulnerabilities (heap overrun)http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0644 MIT krb5: Multiple vulnerabilities (Double-free)http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0642 Vulnerability in libtasn1 related to DER parsinghttp://icat.nist.gov/icat.cfm?cvename=CAN-2004-0401 Double-free vulnerability in the ASN.1 library in Windowshttp://icat.nist.gov/icat.cfm?cvename=CAN-2004-0123 Multiple integer overflows in Microsoft ASN.1 library http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0818 OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences. http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0851 Multiple vulnerabilities in multiple vendor implementations of the X.400 protocol http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0565 Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0564 Double-free vulnerability in OpenSSL 0.9.7 http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0545 OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputshttp://icat.nist.gov/icat.cfm?cvename=CAN-2003-0544 Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0543 The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0430 Integer signedness error in MIT Kerberos V5 ASN.1 decoder http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0036 The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of servicehttp://icat.nist.gov/icat.cfm?cvename=CAN-2002-0659 The ASN.1 parser in Ethereal 0.9.2 and earlier allows remote attackers to cause a denial of service http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0353 Vulnerabilities in the SNMPv1 request handling http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0013
Squid Web Proxy Cache Remote Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=152
Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 productshttp://icat.nist.gov/icat.cfm?cvename=CAN-2004-0699
MIT krb5: Multiple vulnerabilities (heap overrun)http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0644
MIT krb5: Multiple vulnerabilities (Double-free)http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0642
Vulnerability in libtasn1 related to DER parsinghttp://icat.nist.gov/icat.cfm?cvename=CAN-2004-0401
Double-free vulnerability in the ASN.1 library in Windowshttp://icat.nist.gov/icat.cfm?cvename=CAN-2004-0123
Multiple integer overflows in Microsoft ASN.1 library http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0818
OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences. http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0851
Multiple vulnerabilities in multiple vendor implementations of the X.400 protocol http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0565
Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0564
Double-free vulnerability in OpenSSL 0.9.7 http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0545
OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputshttp://icat.nist.gov/icat.cfm?cvename=CAN-2003-0544
Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0543
The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0430
Integer signedness error in MIT Kerberos V5 ASN.1 decoder http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0036
The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of servicehttp://icat.nist.gov/icat.cfm?cvename=CAN-2002-0659
The ASN.1 parser in Ethereal 0.9.2 and earlier allows remote attackers to cause a denial of service http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0353
Vulnerabilities in the SNMPv1 request handling http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0013
So what the heck is ASN.1? It's a standard way, defined in X.680, to describe complex binary data. I know purists will hate me for saying this, but think of binary XML. You describe the data format in ASN format, and then an ASN compiler creates .C[PP] and .H[PP] files that you compile and link into your code. Voila!
For example, the following ASN snippet:
Stuff DEFINITIONS ::= BEGIN PersonnelRecord ::= SEQUENCE { name Name, title OCTET STRING, number EmployeeNumber, dateOfHire Date, nameOfSpouse Name} Name ::= SEQUENCE { givenName OCTET STRING, initial OCTET STRING, familyName OCTET STRING} EmployeeNumber ::= INTEGER Date ::= OCTET STRING -- YYYYMMDD END
Stuff DEFINITIONS ::=
May create the following header file:
#include "asn_obj.h“ #include “stuff.h“ class Name : public AsnSequence { public: AsnOctetString givenName; AsnOctetString initial; AsnOctetString familyName; Name(); }; typedef AsnInteger EmployeeNumber; typedef AsnOctetString Date; class PersonnelRecord : public AsnSequence { public: Name name; AsnOctetString title; AsnInteger number; AsnOctetString dateOfHire; Name nameOfSpouse; PersonnelRecord(); }; PersonnelRecord::PersonnelRecord() {...} Name::Name() {...}
#include "asn_obj.h“
Problem is, if there are parsing errors in the ASN data format cracking library, then you may have security issues. The real worry is many network and security protocols use ASN.1, such as X.509 certificates (therefore SSL/TLS), Kerberos, SNMP, S/MIME, IPSec and so on.
The real lesson is this, code review your ASN.1 parsing code, or library, for integer overflow and buffer overrun issues. Or you may be next!