[Dshield] Security Alert: Remote Vulnerability in Internet Explorer via DCOM

John Sage jsage at finchhaven.com
Mon Jul 8 14:20:19 GMT 2002

On Mon, Jul 08, 2002 at 05:14:52AM -0700, Kenneth Porter wrote:
> On Fri, 2002-07-05 at 05:58, John Sage wrote:
> > I believe the point is, as has been often stated, that many many
> > people use a password such as "password" or their last name, or
> > somesuch...
> > 
> > Given that generally most people's passwords are very insecure, and,
> > say, a staff directory, you'd be into many corporate computer systems,
> > right quick.
> So the implication is that anyone with your login password can snoop on
> your DCOM sessions, particularly your IE traffic. Even if it uses HTTPS.
> Anyone know the characteristics of DCOM traffic? Does it use specific
> ports? Or is it a portmapper/RPC thing with dynamic ports?


Try this:


"The DCOM wire-protocol is based on DCE RPC, so it is easy to
implement DCOM on platforms for which DCE RPC is already
available. DCE RPC defines a proven standard for converting in-memory
data structures and parameters into network packets. Its Network Data
Representation (NDR) is platform neutral ("reader makes right") and
provides a rich set of portable data types."

Apparently Micro$oft has renamed DCE/RPC to DCOM; see:


for DCE/RPC itself, although both of these, upon quick scan, seem
pretty general...

- John
^ALÍ! This program cannot be run in DOS mode.^M

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the list mailing list