Windows 2000 DCOM clients may leak sensitive information onto the network

From: Todd Sabin (tsabin@razor.bindview.com)
Date: 04/02/02


To: bugtraq@securityfocus.com
From: Todd Sabin <tsabin@razor.bindview.com>
Date: 02 Apr 2002 16:15:53 -0500


BindView Security Advisory
--------

Windows 2000 DCOM clients may leak sensitive information onto the network
Issue Date: April 2, 2002
Contact: tsabin@razor.bindview.com

Topic:
Windows 2000 DCOM system may leak sensitive data onto the network

Overview:
Due to a flaw in Windows 2000's DCOM layer, arbitrary parts of a DCOM
client's memory may be sent onto the network in plaintext. The data
may be anything from relatively harmless information like the
process's environment block, to very sensitive information including
passwords.

Affected Systems:
Windows 2000 systems using DCOM, up to and including SP2

Impact:
Windows 2000 systems using DCOM are at risk of leaking information.
The exact ramifications depend on the characteristics of the individual
DCOM programs.

Details:

DCOM is done with extensions built on top of the normal DCE RPC
mechanisms built into Windows. When a client wishes to make requests
to a server, it first connects to the server. It then has to tell the
server what RPC interface it wants to use. The first time it does
this on a given connection, it does this by making a 'bind' request to
the server. If the client wants to use additional interfaces with the
same connection, it can do that by making an 'alter context' request
to the server. Due to the nature of DCOM, clients usually make a
significant number of alter context requests throughout their lifetime
to talk to multiple DCOM interfaces on the server.

The problem is that the 'alter context' calls, in addition to sending
the proper request data, follow it with a large block of the client's
memory space. The extra data is roughly 1000 bytes in size, and is
normally ignored by the server, so it doesn't cause functionality
problems most of the time. However, it does leak potentially
sensitive information onto the network.

The specific case which caused a password to be sent onto the network
was this: On W2K SP1, start an empty mmc.exe. Add in a WMI Control
snap-in. Configure it to connect to another computer, and use the
'Log on as' dialog to specify credentials. Then get the properties
from the remote machine. This lead, in our case, to the supplied
password being leaked onto the network in plaintext. This didn't
occur every time, but happened on several different occasions.

DCOM traffic is not limited to any particular port, but is usually
done over ports 135, and dynamic ports from 1024 to 5000.

Vendor Response:

Microsoft has been informed of this issue, and has a fix for it, but
they did not feel the risk is significant enough to warrant releasing a
hotfix. Their knowledge base article can be found at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

The fix is included in the Windows 2000 SRP1.

Workarounds:
Disable DCOM on all W2K machines.

Recommendations:
If you make significant use of DCOM on Windows 2000, obtain SRP1
from Microsoft, and deploy it.

References:

Knowledge base article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

W2K Security Rollup Patch 1:
http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp



Relevant Pages

  • Re: DCOM Error freezes my WinXP Pro SP2. Help!
    ... It says it's an essential Microsoft service and it can't be stopped. ... >>Windows' complexity. ... DCOM uses an existing networking protocol known ... > COM's distributed operation across a network. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: DCOM Error freezes my WinXP Pro SP2. Help!
    ... > Windows' complexity. ... DCOM uses an existing networking protocol known ... > as Remote Procedure Call, usually over Internet port 135, to host ... > COM's distributed operation across a network. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: At Bootup Computer Pauses
    ... Try Ctrl+Alt+Delete to select Task Manager and click the Performance ... Also look for Error Reports in the System log in Event Viewer. ... View and Manage Event Logs in Event Viewer in Windows XP ... DCOM got an error "The service cannot be started, ...
    (microsoft.public.windowsxp.general)
  • Re: deactivating DCOM
    ... Q1 How do I enable or disable DCOM? ... "EnableDCOM" as a named value. ... setting that enables or disables incoming remote connections. ... To enable remote connections to a Windows ...
    (microsoft.public.win2000.security)
  • Re: method or property is not available because a document window is not active.
    ... permission for the COM Server application with CLSID ... particular user to open the msword instead of using the windows login ... you could set dcom or not. ... "console" and do the changes for the DCOM setting, ...
    (microsoft.public.dotnet.framework.aspnet)