On Sunday, June 30, 2002, at 03:50 PM, [EMAIL PROTECTED] wrote:
> The article at
>
> http://www.washingtonpost.com/wp-dyn/articles/A50765-2002Jun26.html
>
> seems to blame the ASN.1 specification language itself for the
> problem. Can anyone say more about what they are discussiong ?
At a guess this relates to some exploits found in a lot of SNMP
implementations as a result of some people constructing a test suite for
the protocol. This was widely discussed at the time the vulnerabilities
were published. See, for example:
http://www.counterpane.com/crypto-gram-0203.html#1
and the readers comments in the following issue. The original advisory
can be found at:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/
ASN.1 is no different to any other network protocol - it's possible
write a buggy, exploitable implementation using it. There may be
arguments for saying that the complexity of some of the encoding methods
makes it difficult a safe implementation or that other aspects of the
way people use ASN.1 can present risks but I don't recall anyone
identifying anything in particular about ASN.1 itself.
