[NT] Windows 2000 DCOM Clients May Leak Sensitive Information onto the Network

From: support@securiteam.com
Date: 04/06/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  6 Apr 2002 13:15:47 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Windows 2000 DCOM Clients May Leak Sensitive Information onto the Network
------------------------------------------------------------------------

SUMMARY

Due to a flaw in Windows 2000's DCOM layer, arbitrary parts of a DCOM
client's memory may be sent onto the network in plaintext. The data may be
anything from relatively harmless information like the process's
environment block, to very sensitive information including passwords.

DETAILS

Affected Systems:
 * Windows 2000 systems using DCOM, up to and including SP2

Impact:
Windows 2000 systems using DCOM are at risk of leaking information. The
exact ramifications depend on the characteristics of the individual DCOM
programs.

Details:
DCOM is done with extensions built on top of the normal DCE RPC mechanisms
built into Windows. When a client wishes to make requests to a server, it
first connects to the server. It then has to tell the server what RPC
interface it wants to use. The first time it does this on a given
connection, it does this by making a 'bind' request to the server. If the
client wants to use additional interfaces with the same connection, it can
do that by making an 'alter context' request to the server. Due to the
nature of DCOM, clients usually make a significant number of alter context
requests throughout their lifetime to talk to multiple DCOM interfaces on
the server.

The problem is that the 'alter context' calls, in addition to sending the
proper request data, follow it with a large block of the client's memory
space. The extra data is roughly 1000 bytes in size, and is normally
ignored by the server, so it does not cause functionality problems most of
the time. However, it does leak potentially sensitive information onto the
network.

The specific case that caused a password to be sent onto the network was
this: On W2K SP1, start an empty mmc.exe. Add in a WMI Control snap-in.
Configure it to connect to another computer, and use the 'Log on as'
dialog to specify credentials. Then get the properties from the remote
machine. This lead, in our case, to the supplied password being leaked
onto the network in plaintext. This did not occur every time, but happened
on several different occasions.

DCOM traffic is not limited to any particular port, but is usually done
over ports 135 and dynamic ports from 1024 to 5000.

Vendor Response:
Microsoft has been informed of this issue, and has a fix for it, but they
did not feel the risk is significant enough to warrant releasing a Hotfix.
Their knowledge base article can be found at:
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

The fix is included in the Windows 2000 SRP1.

Workarounds:
 * Disable DCOM on all W2K machines.

Recommendations:
If you make significant use of DCOM on Windows 2000, obtain SRP1 from
Microsoft, and deploy it.

ADDITIONAL INFORMATION

References:
Knowledge base article:
 <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

W2K Security Rollup Patch 1:
 
<http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp> http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp

The information has been provided by <mailto:tsabin@razor.bindview.com>
Todd Sabin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #164
    ... Got Storage Security Risks? ... MICROSOFT VULNERABILITY SUMMARY ... Chat Client FTP Server Default Username Credential Weak... ... NetServe Web Server is a compact web server for Microsoft Windows ...
    (Focus-Microsoft)
  • Re: im being held in memory
    ... How can I harden my computer or server to secure it from hackers? ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
    (microsoft.public.security)
  • MS and security: good effort but no cigar
    ... build upon the progress it's already made in security. ... The low-hanging fruit of millions of insecure Windows machines ... Then there's the issue of poorly secured server applications. ... and execute external virus and filtering ...
    (microsoft.public.windowsxp.general)
  • SecurityFocus Microsoft Newsletter #167
    ... MICROSOFT VULNERABILITY SUMMARY ... Multiple Vendor XML Parser SOAP Server Denial Of Service Vul... ... Proactive Windows Security Explorer ...
    (Focus-Microsoft)
  • Re: Group Policy broke my DCs
    ... > need to be very careful with tweaking services on domain controllers. ... > Group Policy - security policy at the OU level which makes it much easier ... > is complied from the Windows 2003 Server Security guide for baseline core ...
    (microsoft.public.windows.group_policy)