BindView Security Advisory -------- Windows 2000 DCOM clients may leak sensitive information onto the network Issue Date: April 2, 2002 Contact: tsabin@razor.bindview.com Topic: Windows 2000 DCOM system may leak sensitive data onto the network Overview: Due to a flaw in Windows 2000's DCOM layer, arbitrary parts of a DCOM client's memory may be sent onto the network in plaintext. The data may be anything from relatively harmless information like the process's environment block, to very sensitive information including passwords. Affected Systems: Windows 2000 systems using DCOM, up to and including SP2 Impact: Windows 2000 systems using DCOM are at risk of leaking information. The exact ramifications depend on the characteristics of the individual DCOM programs. Details: DCOM is done with extensions built on top of the normal DCE RPC mechanisms built into Windows. When a client wishes to make requests to a server, it first connects to the server. It then has to tell the server what RPC interface it wants to use. The first time it does this on a given connection, it does this by making a 'bind' request to the server. If the client wants to use additional interfaces with the same connection, it can do that by making an 'alter context' request to the server. Due to the nature of DCOM, clients usually make a significant number of alter context requests throughout their lifetime to talk to multiple DCOM interfaces on the server. The problem is that the 'alter context' calls, in addition to sending the proper request data, follow it with a large block of the client's memory space. The extra data is roughly 1000 bytes in size, and is normally ignored by the server, so it doesn't cause functionality problems most of the time. However, it does leak potentially sensitive information onto the network. The specific case which caused a password to be sent onto the network was this: On W2K SP1, start an empty mmc.exe. Add in a WMI Control snap-in. Configure it to connect to another computer, and use the 'Log on as' dialog to specify credentials. Then get the properties from the remote machine. This lead, in our case, to the supplied password being leaked onto the network in plaintext. This didn't occur every time, but happened on several different occasions. DCOM traffic is not limited to any particular port, but is usually done over ports 135, and dynamic ports from 1024 to 5000. Vendor Response: Microsoft has been informed of this issue, and has a fix for it, but they did not feel the risk is significant enough to warrant releasing a hotfix. Their knowledge base article can be found at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367 The fix is included in the Windows 2000 SRP1. Workarounds: Disable DCOM on all W2K machines. Recommendations: If you make significant use of DCOM on Windows 2000, obtain SRP1 from Microsoft, and deploy it. References: Knowledge base article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367 W2K Security Rollup Patch 1: http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp
