Just so you know, the original mail was just a forward from the NTBUGTRAQ list. I forwarded it because I hadn't seen any mention on BUGTRAQ itself. I haven't tested this exploit myself, nor do I have any other exploit code tucked away somewhere. Moving on-- Depending on the access/launch/configure ACLs on a given DCOM object, authentication may or may not matter. Using the DCOMCNFG utility (included with NT4/5 and Win95/98), you can view the Access/Launch/Configure permissions for the DCOM objects present on your system (that are accessible via the network). Depending on how farmiliar the person who wrote the DCOM app is with CoInitializeSecurity (the COM API call for setting ACLs for Access/Launch/Configure), there are programmatic methods for launching, configuring, or deleting COM objects on a remote machine (as shown in the VB6 program below). This is similar to the problem of many win32 coders not setting ACLs on named pipes and other objects their applicatitons create. In these instances, it's not Microsoft's lack of a comptetent security model--it's the people writing to the API not taking the time to actually understand it. For those interested in learning how to write (more) secure COM apps, the book "Effective COM" (ISBN 0-201-37968) has an excellent chapter on COM Security. -----Original Message----- From: Max Vision [mailto:visionat_private] Sent: Thursday, August 19, 1999 5:39 PM To: Hargett, Matt; BUGTRAQat_private Subject: Re: FW: DCOM attack against NT using VB6 Hi, Did you have credentials to authenticate to your coworker's machines? I was able to create arbitrary files remotely on other NT machines in my network using DCOM/Word/Create, but soon discovered that this was because I had domain admin credentials that were valid for each host. IE, DCOM attacks aren't effective if you don't have authentication credentials. If you have contrary information please let us know :) I could be mistaken, since ISS does a test for non-admin access to DCOM.. What are the chances ISS/NAI want to give full disclosure on their DCOM compromise technique? Required reading: Understanding the DCOM Wire Protocol by Analyzing Network Data Packets http://www.guyeddon.com/MSJ3-98.htm Using Distributed COM with Firewalls http://www.iapetus.com/dcom/dcomfw.htm Max Vision http://maxvision.net/ On Wed, 18 Aug 1999, Hargett, Matt wrote: > -----Original Message----- > From: Rob Lempke [mailto:rlempkeat_private] > Sent: Wednesday, August 11, 1999 1:27 PM > To: NTBUGTRAQat_private > Subject: DCOM attack against NT using VB6 > > > Using the code below I was able to create 20 instances of Excel on my > co-workers machines without modifying their machines at all. The target > must be Windows NT Workstation/Server running sp3 or sp4. sp5 seems to > prevent the attack. > > Private Sub Command1_Click() > Dim xlObj As Object > Dim xlCollection As New Collection > Dim i As Long > For i = 1 To 20 > Set xlObj = CreateObject("Excel.Application", "\\NTBox") > xlCollection.Add xlObj > Next i > > i = 1 > 'clean up > While xlCollection.Count > 0 > xlCollection.Remove (xlCollection.Count) > Wend > Set xlCollection = Nothing > End Sub > > -Robert E. Lempke > -------------------------------------------- > Steven Wright one Liners: > "Black holes are where God divided by zero." > "Quantum Mechanics: The dreams stuff is made of." > "Early bird gets the worm, but the second mouse gets the cheese." > "If everything seems to be going well, you have obviously overlooked > something." > "Join the Army, meet interesting people, kill them." > "Success always occurs in private, and failure in full view." > "Ambition is a poor excuse for not having enough sense to be lazy." > "Hard work pays off in the future. Laziness pays off now." > "Everyone has a photographic memory. Some don't have film." > "Drink until she's cute, but stop before the wedding." > -------------------------------------------- >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:57:47 PDT