[Full-Disclosure] NTBUGTRAQ on DCOM

• Previous message: Paul Schmehl: "Re: [Full-Disclosure] Can DCOM be disabled safely?"
• In reply to: yup_at_tlen.pl: "[Full-Disclosure] [SEC-LABS] Win32 Device Drivers Communication Vulnerabilities + PoC for Symantec Norton AntiVirus \'2002 (probably all versions) Device Driver"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Sat, 02 Aug 2003 10:25:11 -0500

This was just posted on NTBUGTRAQ. Looks like SMS *is* affected if you
shut off DCOM.

             ---Begin NTBUGTRAQ post---

So I have been running around recommending that everyone get DCOM disabled.
My reasoning is that while the patch addresses the LSD vulnerability, it
doesn't handle the XFocus DoS and who knows what else is left undiscovered.
LSD's vulnerability was in there for 6 years unnoticed, despite the fact
that numerous people have looked closely at the interface.

Unfortunately, like the problem we discovered with the MSDE issue, we have
no list of things which break when DCOM is disabled. There are certainly
some/many custom developed applications that use DCOM, at least you'd come
away with that impression if you look at Microsoft's site or search Google.
While they may be extremely important, I'm not really looking for that list.

What I'm looking for are things that are either built into the OS, an MS
Server, or are very widely deployed. I'm only interested in something which
doesn't work after you've disabled DCOM according to;

http://support.microsoft.com/default.aspx?scid=kb;en-us;825750

I plan on putting this into a web page which I'll call;

http://www.ntbugtraq.com/dcomfaq.asp

What follows is what I've been able to gather so far;

1. Microsoft provides a wonderfully vague warning, in KB 825750;

Warning, if you disable DCOM, may you may lose operating system
functionality. After you disable support for DCOM, the following may result:

- Any COM objects that can be activated remotely may not function correctly.
- The local COM+ snap-in will not be able to connect to remote servers to
enumerate their COM+ catalog.
- Certificate auto-enrollment may not function correctly.
- Windows Management Instrumentation (WMI) queries against remote servers
may not function correctly.

There are potentially many built-in components and 3rd party applications
that will be affected if you disable DCOM. Microsoft does not recommend
that you disable DCOM in your environment until you have tested to discover
what applications are affected. Disabling DCOM may not be workable in all
environments.

2. Products that use DCOM;

- Microsoft Access Workflow Designer
- FrontPage with Visual Source Safe on IIS
- BizTalk Server schedule client
- Excel uses DCOM if it includes an RTD statement
- SMS uses DCOM to get the hardware inventory off a client
- Win95 needs Client for Microsoft Networks or DCOM to work with MS SNA
Server

3. Luckily, Microsoft has provided special keywords for COM and DCOM in
their Knowledgebase to make it easier to search for such articles,
http://support.microsoft.com/default.aspx?scid=kb;en-us;249726 There are 40
different keywords! They think that makes it easier??

Cheers,
Russ - NTBugtraq Editor

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Paul Schmehl: "Re: [Full-Disclosure] Can DCOM be disabled safely?"
• In reply to: yup_at_tlen.pl: "[Full-Disclosure] [SEC-LABS] Win32 Device Drivers Communication Vulnerabilities + PoC for Symantec Norton AntiVirus \'2002 (probably all versions) Device Driver"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]