Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
To: "Daniel H. Renner" <firstname.lastname@example.org> Date: Wed, 13 Oct 2004 15:42:07 -0400
Daniel H. Renner wrote:
>Could you please point out where you read this data? I would like to
>see this one...
I seem to remember that this was one of the caveats with regard to
MSBlast and RPC/DCOM vulnerabilities last year.
In certain configurations, it was theoretically possible (I'd never
personally seen any PoC code or worms that exploited it, though) that
some RPC calls could be made via RPC over HTML. According to the
security bulletin for MS03-026, the service that provides RPC over HTML
is COM Internet Services (CIS).
From what I recall, it was discussed at the time as a potential
infection vector, though CIS is not installed by default on IIS
installs. There were, at the time, very few sites that utilized it.
Feel free to correct me if I'm wrong, though.
Please see the MS03-026 bulletin for some more points:
Go down to the "Frequently asked Questions" section, expand it, and look
at the section that discusses CIS for more information. I'm sure that
this will give you enough information to do some more searching for
further information on current versions of CIS and determining whether
Full-Disclosure - We believe in it.