Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP

From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: 10/13/04

  • Next message: Mr. Rufus Faloofus: "Re: [SPAM] [Full-Disclosure] Nessus experience"
    To: "Daniel H. Renner" <dan@losangelescomputerhelp.com>
    Date: Wed, 13 Oct 2004 15:42:07 -0400
    
    

    Daniel H. Renner wrote:

    >Daniel,
    >
    >Could you please point out where you read this data? I would like to
    >see this one...
    >
    >

    I seem to remember that this was one of the caveats with regard to
    MSBlast and RPC/DCOM vulnerabilities last year.

    In certain configurations, it was theoretically possible (I'd never
    personally seen any PoC code or worms that exploited it, though) that
    some RPC calls could be made via RPC over HTML. According to the
    security bulletin for MS03-026, the service that provides RPC over HTML
    is COM Internet Services (CIS).

     From what I recall, it was discussed at the time as a potential
    infection vector, though CIS is not installed by default on IIS
    installs. There were, at the time, very few sites that utilized it.
    Feel free to correct me if I'm wrong, though.

    Please see the MS03-026 bulletin for some more points:

            http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

    Go down to the "Frequently asked Questions" section, expand it, and look
    at the section that discusses CIS for more information. I'm sure that
    this will give you enough information to do some more searching for
    further information on current versions of CIS and determining whether
    they're installed.

              -Barry

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Mr. Rufus Faloofus: "Re: [SPAM] [Full-Disclosure] Nessus experience"