Re: middleware corba vulnerabilities:do they exist?

From: Raymond C. Parks (rcparksat_private)
Date: Fri Aug 08 2003 - 10:11:15 PDT

Next message: xenophi1e: "Re: middleware corba vulnerabilities:do they exist?"

Previous message: h1kari: "TOORCON 2003 CALL FOR PAPERS CLOSING"
In reply to: william fitzgerald: "middleware corba vulnerabilities:do they exist?"
Next in thread: xenophi1e: "Re: middleware corba vulnerabilities:do they exist?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

william fitzgerald wrote:
...
> I have been researching corba and corba security as a hobbie recently. Corba
> security seems to be solid from the omg corba security services 1.8 manual (only
> got through half of that spec so far). 
> 
> does corba have any security flaws that could be improved or are worth a research
> investigation? 
> 
> there must be ways to upset corba security services either intentionaly or unintentionaly.
> it seems to be heavily governed on policies. is the a vulnerability here? 
> 
> what about other middleware technologies such as ejb? are there security issues
> here? 
> 
> or do security issues arise when using both ejb and corba together? 
> 
> any information relating to corba security is welcomed. the omg specification
> wont highlight any existing security exploits for obvious reasons. 

   I conducted some attacks on a CORBA server system in an exercise in 
1999 (so the data is old), but I don't believe the basic problem has 
been fixed.  The "application" involved serving outside clients with 
large files and the ability to view them from the CORBA server.  The 
outside clients were served through a stateful, proxying firewall using 
SSL.  Inside clients were able to edit the large files.  Both clients 
had an additional security step wherein they identified themselves via 
pre-shared SSL keys to the CORBA server to access the large file 
viewing/editing methods.
   I used Dynamic Invocation Interface (which was not protected) to 
determine the methods served by the CORBA server.  This discovery 
function is available in one form or another in all middleware (Java 
RMI, DCOM, CORBA) and a major help to an attacker.  I wrote IDL to match 
the methods, compiled that into a new set of methods and then wrote a 
new CORBA server application of my own that duplicated the interfaces. 
My server simply used the same methods to access the real server.  From 
there it was a simple DNS spoof to step in between a client and the real 
CORBA server.
   Middleware weaknesses lie in the need to advertise, find, broker, and 
trade services as well as the fact that they depend upon the network 
infrastructure to be trustworthy.  In addition, CORBA applications 
written in C or C++ are subject to standard coding error 
vulnerabilities.  Another thing to look for in a middleware 
implementation is any sort of remote program invocation.  This can be 
done very insecurely.

-- 
Ray Parks                   rcparksat_private
IDART Project Lead          Voice:505-844-4024
IORTA Department            Fax:505-844-9641
http://www.sandia.gov/idart Pager:800-690-5288

Next message: xenophi1e: "Re: middleware corba vulnerabilities:do they exist?"
Previous message: h1kari: "TOORCON 2003 CALL FOR PAPERS CLOSING"
In reply to: william fitzgerald: "middleware corba vulnerabilities:do they exist?"
Next in thread: xenophi1e: "Re: middleware corba vulnerabilities:do they exist?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 15:05:49 PDT