W2000 DCOM Leak

Discussion in 'other security issues & news' started by Paul Wilders, Apr 6, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Summary

    Due to a flaw in Windows 2000's DCOM layer, arbitrary parts of a DCOM client's memory may be sent onto the network in plaintext. The data may be anything from relatively harmless information like the process's environment block, to very sensitive information including passwords.


    Details

    Affected Systems:
    * Windows 2000 systems using DCOM, up to and including SP2

    Impact:
    Windows 2000 systems using DCOM are at risk of leaking information. The exact ramifications depend on the characteristics of the individual DCOM programs.

    Details:
    DCOM is done with extensions built on top of the normal DCE RPC mechanisms built into Windows. When a client wishes to make requests to a server, it first connects to the server. It then has to tell the server what RPC interface it wants to use. The first time it does this on a given connection, it does this by making a 'bind' request to the server. If the client wants to use additional interfaces with the same connection, it can do that by making an 'alter context' request to the server. Due to the nature of DCOM, clients usually make a significant number of alter context requests throughout their lifetime to talk to multiple DCOM interfaces on the server.

    The problem is that the 'alter context' calls, in addition to sending the proper request data, follow it with a large block of the client's memory space. The extra data is roughly 1000 bytes in size, and is normally ignored by the server, so it does not cause functionality problems most of the time. However, it does leak potentially sensitive information onto the network.

    The specific case that caused a password to be sent onto the network was this: On W2K SP1, start an empty mmc.exe. Add in a WMI Control snap-in. Configure it to connect to another computer, and use the 'Log on as' dialog to specify credentials. Then get the properties from the remote machine. This lead, in our case, to the supplied password being leaked onto the network in plaintext. This did not occur every time, but happened on several different occasions.

    DCOM traffic is not limited to any particular port, but is usually done over ports 135 and dynamic ports from 1024 to 5000.

    Vendor Response:
    Microsoft has been informed of this issue, and has a fix for it, but they did not feel the risk is significant enough to warrant releasing a Hotfix. Their knowledge base article can be found at: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

    The fix is included in the Windows 2000 SRP1.

    Workarounds:
    * Disable DCOM on all W2K machines.

    Recommendations:
    If you make significant use of DCOM on Windows 2000, obtain SRP1 from Microsoft, and deploy it.


    Additional information

    References: Knowledge base article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367
    W2K Security Rollup Patch 1: www.microsoft.com/windows2000/downloads/critical/q311401/default.asp

    -------

    source: securiteam.com
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    It has always been my understanding, that if you disable DCOM on Win2K, there is a good chance your machine won't even boot up anymore.
    Does anybody have any better understanding of whether you can disable DCOM or not?
     
  3. Checkout;

    Checkout; Guest

    Yes.  Disable W2k on all DCOM machines.
     
  4. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I've lost track of the MS technology SOAP. Almost all Windows 2000 services depend on the Remote Procedure Call (RPC) service. This one you can't disable. AFAIU DCOM requires RPC, but you can disable DCOM. For more information see http://accs-net.com/smallfish/dcom.htm and http://www.microsoft.com/Com/wpaper/dcomfw.asp
     
  5. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Well I killed DCOM in the registry and am still going.
    Still have port 135 open though. Can't kill svchost and that holds port 135 open.
     
  6. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Port 135 is used by RPC and AFAIK can't be disabled. You  need to block this port in your firewall.
     
Loading...
Thread Status:
Not open for further replies.