Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: win5235.htm

Windows 2000 DCOM clients may leak passwords on the network



3rd Apr 2002 [SBWID-5235]
COMMAND

	Windows 2000 DCOM clients may leak passwords on the network

SYSTEMS AFFECTED

	Windows 2000 systems using DCOM, up to and including SP2

PROBLEM

	Todd Sabin of BindView [http://razor.bindview.com] reported :
	

	DCOM is done with  extensions  built  on  top  of  the  normal  DCE  RPC
	mechanisms built into Windows. When a client wishes to make requests  to
	a server, it first connects to the server.  It  then  has  to  tell  the
	server what RPC interface it wants to use. The first time it  does  this
	on a given connection, it does this by making a \'bind\' request to  the
	server. If the client wants to use additional interfaces with  the  same
	connection, it can do that by making an  \'alter  context\'  request  to
	the  server.  Due  to  the  nature  of  DCOM,  clients  usually  make  a
	significant number of alter context requests throughout  their  lifetime
	to talk to multiple DCOM interfaces on the server.
	

	The problem is that the \'alter context\' calls, in addition to  sending
	the proper request data, follow it with a large block of  the  client\'s
	memory space. The extra data is roughly  1000  bytes  in  size,  and  is
	normally ignored by the  server,  so  it  doesn\'t  cause  functionality
	problems most of the time. However, it does leak  potentially  sensitive
	information onto the network.
	

	The specific case which caused a password to be sent  onto  the  network
	was this: On W2K SP1, start an empty  mmc.exe.  Add  in  a  WMI  Control
	snap-in. Configure it to connect to another computer, and use the  \'Log
	on as\' dialog to specify credentials. Then get the properties from  the
	remote machine. This lead, in our case, to the supplied  password  being
	leaked onto the network in plaintext. This  didn\'t  occur  every  time,
	but happened on several different occasions.
	

	DCOM traffic is not limited to any particular port, but is usually  done
	over ports 135, and dynamic ports from 1024 to 5000.

SOLUTION

	Workarounds: Disable DCOM on all W2K machines.
	

	 Patch :

	 =====

	

	Discussion :
	

	http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

	

	The fix is included in the Windows 2000 SRP1 :
	

	http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH