>As my position involves recommending network security components to both
>commercial and government entities, I would appreciate more discussion on
>the threats protocols like DCOM hold for networks. Has anybody seen that
>particular protocol used maliciously yet (other than Microsoft).
The lower level protocol DCOM
uses is Microsoft RPC. Like all the other RPCs, Microsoft RPC
uses dynamically allocated ports above 1024. DCOM is also capable
of using server callbacks (where the server initiates communication
to the client independent of the original call). Whether DCOM
is UDP or TCP depends on what platform you're using, but UDP is
the default for NT. Just for a bonus, DCOM imbeds IP addresses inside
packets, so you can kiss straightforward NAT goodbye.
This means that allowing DCOM through a packet filter means allowing
arbitrary TCP and UDP packets in either direction where both
ends are above 1024. Doing stateful packet filtering doesn't
help much, because you've still got connections initiated on
the outside.
A sufficiently clever stateful packet filter or proxy system
could understand the DCOM protocol well enough to only allow
RPC transactions that were part of a DCOM connection, I suppose,
but I strongly doubt the existence of such a system. You could
also get lucky and only need programs that don't use server
callbacks, which would help a little bit.
So really, the question of whether there are any vulnerabilities
in DCOM isn't very interesting, since you're going to end up
opening at least Microsoft RPC and more likely everything above
1024 in order to allow DCOM. Among the fascinating targets that
use Microsoft RPC are the administrative interfaces for WINS and
DHCP and client/server communication for Exchange.
Since DCOM security is at best NT-only and mostly optional,
I'd be astonished if it wasn't vastly vulnerable. If it hasn't
been used maliciously yet, just wait. The same goes for Microsoft
RPC, only squared.
Elizabeth Zwicky
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
