Re: [Full-Disclosure] Microsoft win2003server phone home

From: Mike Garegnani (headhoncho_at_subverter.net)
Date: 08/04/03

  • Next message: bugzilla_at_redhat.com: "[RHSA-2003:251-01] New postfix packages fix security issues." 
    To: <full-disclosure@lists.netsys.com>
Date: Mon, 4 Aug 2003 06:03:31 -0700

    ...totally disregarding the fact that the requests turned up 404s, this most
    definately is a violation of privacy, but then again you have to take into
    account that everytime you make any outbound connection on the internet, and
    of course vice-versa, that's a privacy issue. if this was one of the first
    things the OS did after installation then i don't see much reason for
    concern. all that was posted was a guid, and not to mention it was a 404 so
    aside from your post showing up somewhere in a log it won't be used or even
    seen for that matter. but it certainly can be a security issue. anything you
    don't have control over, or know about (you're lucky you caught this. it
    could have been worse) can potentially be used against you at some time.
    kinda makes me wonder how microsoft could hard-code something that isn't
    even there. but then again we're talking about microsoft. there's always
    room for plain ol' stupidity. are you sure you didn't load up or happen to
    come across something using media player (say, clicking on a media file in
    explorer. there's that little doodad that shows up to the right of the
    listing that serves as a "preview") anyways... you're safe and sound. your
    server is bound to save you millions or something like that. no worries.
    did you even have it hooked up to a network? don't bother answering btw.
    ----- Original Message -----
    From: Gaurav Kumar
    To: gyrniff
    Cc: full-disclosure@lists.netsys.com
    Sent: Monday, August 04, 2003 4:38 PM
    Subject: Re: [Full-Disclosure] Microsoft win2003server phone home

     1. Is this behavior normal for a windows server installation ?
    i think that this behavour is normal bcoz as u analyse that session u will
    get to know that server is trying to update something

     2. Could this behavior be considered as a violation of privacy ?
    this surely a case of violation of privacy as it is not mentioned in
    agreement. go ahead, sue micro$oft.

     3. Could it be considered as a security risk to let a newly installed
    server,
    request information from an arbitrary server that I have no control over ?
    yes its a security risk bcoz it is not even using pki to establish identity
    of the server.

    Gaurav Kumar

    Chief Information Security Analyst
    E2 Labs Information Security Pvt. Ltd.
    Hyderbad-34
    AP
    India

    Phone(s)-
    Mobile +91 40 31068650
    Tele/Fax +91 40 23555942 (ext-24)
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    ----- Original Message -----
    From: "gyrniff" <b240503@gyrniff.dk>
    To: <full-disclosure@lists.netsys.com>
    Sent: Monday, August 04, 2003 3:27 PM
    Subject: [Full-Disclosure] Microsoft win2003server phone home

    > After acquiring and installing a copy of 'Windows Server 2003 Standard
    Edition
    > 180-Day Evaluation' I walked through the 'role wizard', used the 'custom
    > role config' and selected everything ;-)
    > After reboot the server made two POST request to microsoft controlled
    > webserveres without any notification. One request to activex.micrisoft.com
    > and one to codecs.microsoft.com, the data posted to the two severs was the
    > same. (See the request and responds below.)
    >
    > I can find no information in the license agreement about giving away
    > 'information' behind my back.
    >
    > My question:
    > 1. Is this behavior normal for a windows server installation ?
    > 2. Could this behavior be considered as a violation of privacy ?
    > 3. Could it be considered as a security risk to let a newly installed
    server,
    > request information from an arbitrary server that I have no control over ?
    >
    > ****
    >
    > Posted data to activex.microsoft.com:
    > POST /objects/ocget.dll HTTP/1.1
    > Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86,
    > application/octet-stream, application/x-setupscript, */*
    > Content-Type: application/x-www-form-urlencoded
    > Accept-Language: da
    > Accept-Encoding: gzip, deflate
    > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
    > 1.1.4322)
    > Host: activex.microsoft.com
    > Content-Length: 44
    > Connection: Keep-Alive
    > Cache-Control: no-cache
    >
    > CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7}
    >
    > The reply:
    > HTTP/1.1 404 Object Not Found
    > Server: Microsoft-IIS/5.0
    > Date: Sun, 03 Aug 2003 09:48:38 GMT
    > Connection: close
    > Content-Type: text/html
    > Content-Length: 102
    >
    > <html><head><title>Error</title></head><body>The system cannot find the
    file
    > specified. </body></html>
    >
    > ***
    >
    > Postede data to codecs.microsoft.com
    > POST /isapi/ocget.dll HTTP/1.1
    > Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86,
    > application/octet-stream, application/x-setupscript, */*
    > Content-Type: application/x-www-form-urlencoded
    > Accept-Language: da
    > Accept-Encoding: gzip, deflate
    > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
    > 1.1.4322)
    > Host: codecs.microsoft.com
    > Content-Length: 44
    > Connection: Keep-Alive
    > Cache-Control: no-cache
    >
    > CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7}
    >
    > And the reply:
    > HTTP/1.1 404 Not Found
    > Connection: close
    > Date: Sun, 03 Aug 2003 09:47:54 GMT
    > Server: Microsoft-IIS/6.0
    > P3P: policyref="http://www.microsoft.com/w3c/p3p.xml" CP="ALL IND DSP COR
    ADM
    > CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY
    PRE
    > PUR UNI"
    > X-Powered-By: ASP.NET
    >
    >
    > /Gyrniff
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: bugzilla_at_redhat.com: "[RHSA-2003:251-01] New postfix packages fix security issues."

    Relevant Pages

    • Re: How to use Copy Project
      ... web on the server not being the default... ... > message, the default Web site is using Forms authentication, and the request ... and Microsoft Internet Information Services cannot return ... > the FTP site in Internet Explorer and then drag the files using Windows ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: [Full-Disclosure] Microsoft win2003server phone home
      ... updates..unless there is some evil server behind the fake host, ... > request information from an arbitrary server that I have no control over? ... Microsoft win2003server phone home ...
      (Full-Disclosure)
    • Re: Cannot Empty Clipboard
      ... call Microsoft and request the patch ... connect to a Windows Server 2003-based server that is running Terminal ...
      (microsoft.public.windows.server.general)
    • 2000 server exploit, webDAV
      ... 2000 server exploit. ... Has Microsoft or anyone else released a request ... signature/finger-print for this issue? ...
      (microsoft.public.win2000.security)
    • [REVS] NTLM HTTP Authentication is Insecure By Design
      ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ...
      (Securiteam)