[Dshield] Security Alert: Remote Vulnerability in Internet Explorer via DCOM

John Sage jsage at finchhaven.com
Mon Jul 8 14:20:19 GMT 2002


On Mon, Jul 08, 2002 at 05:14:52AM -0700, Kenneth Porter wrote:
> On Fri, 2002-07-05 at 05:58, John Sage wrote:
> 
> > I believe the point is, as has been often stated, that many many
> > people use a password such as "password" or their last name, or
> > somesuch...
> > 
> > Given that generally most people's passwords are very insecure, and,
> > say, a staff directory, you'd be into many corporate computer systems,
> > right quick.
> 
> So the implication is that anyone with your login password can snoop on
> your DCOM sessions, particularly your IE traffic. Even if it uses HTTPS.
> 
> Anyone know the characteristics of DCOM traffic? Does it use specific
> ports? Or is it a portmapper/RPC thing with dynamic ports?

Kenneth:

Try this:

http://msdn.microsoft.com/library/en-us/dndcom/html/msdn_dcomtec.asp

"The DCOM wire-protocol is based on DCE RPC, so it is easy to
implement DCOM on platforms for which DCE RPC is already
available. DCE RPC defines a proven standard for converting in-memory
data structures and parameters into network packets. Its Network Data
Representation (NDR) is platform neutral ("reader makes right") and
provides a rich set of portable data types."


Apparently Micro$oft has renamed DCE/RPC to DCOM; see:

http://www.opengroup.org/onlinepubs/009629399/

for DCE/RPC itself, although both of these, upon quick scan, seem
pretty general...


- John
-- 
^ALÍ! This program cannot be run in DOS mode.^M

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list