Windows 2000 DCOM clients may leak sensitive information onto the network

[Todd Sabin <tsabin () razor bindview com>]

BindView Security Advisory
--------

Windows 2000 DCOM clients may leak sensitive information onto the network
Issue Date: April 2, 2002
Contact:  tsabin () razor bindview com

Topic:
Windows 2000 DCOM system may leak sensitive data onto the network

Overview:
Due to a flaw in Windows 2000's DCOM layer, arbitrary parts of a DCOM
client's memory may be sent onto the network in plaintext.  The data
may be anything from relatively harmless information like the
process's environment block, to very sensitive information including
passwords.


Affected Systems:
Windows 2000 systems using DCOM, up to and including SP2


Impact:
Windows 2000 systems using DCOM are at risk of leaking information.
The exact ramifications depend on the characteristics of the individual
DCOM programs.

Details:

DCOM is done with extensions built on top of the normal DCE RPC
mechanisms built into Windows.  When a client wishes to make requests
to a server, it first connects to the server.  It then has to tell the
server what RPC interface it wants to use.  The first time it does
this on a given connection, it does this by making a 'bind' request to
the server.  If the client wants to use additional interfaces with the
same connection, it can do that by making an 'alter context' request
to the server.  Due to the nature of DCOM, clients usually make a
significant number of alter context requests throughout their lifetime
to talk to multiple DCOM interfaces on the server.

The problem is that the 'alter context' calls, in addition to sending
the proper request data, follow it with a large block of the client's
memory space.  The extra data is roughly 1000 bytes in size, and is
normally ignored by the server, so it doesn't cause functionality
problems most of the time.  However, it does leak potentially
sensitive information onto the network.

The specific case which caused a password to be sent onto the network
was this: On W2K SP1, start an empty mmc.exe.  Add in a WMI Control
snap-in.  Configure it to connect to another computer, and use the
'Log on as' dialog to specify credentials.  Then get the properties
from the remote machine.  This lead, in our case, to the supplied
password being leaked onto the network in plaintext.  This didn't
occur every time, but happened on several different occasions.

DCOM traffic is not limited to any particular port, but is usually
done over ports 135, and dynamic ports from 1024 to 5000.


Vendor Response:

Microsoft has been informed of this issue, and has a fix for it, but
they did not feel the risk is significant enough to warrant releasing a
hotfix.  Their knowledge base article can be found at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

The fix is included in the Windows 2000 SRP1.

Workarounds:
Disable DCOM on all W2K machines.

Recommendations:
If you make significant use of DCOM on Windows 2000, obtain SRP1
from Microsoft, and deploy it.

References:

Knowledge base article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300367

W2K Security Rollup Patch 1:
http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp