Full Disclosure mailing list archives
Re: Microsoft win2003server phone home
From: "Gaurav Kumar" <gaurav () e2-labs com>
Date: Tue, 5 Aug 2003 06:48:29 +0530
jeeesus, where's the manager? someone throw these kiddies out puhleese. u call me script kiddie, may i know if u r not? r u master of internet securitiy technologies? i hope one learns by studying some material and then try of its own. did all the knowledge u have was acquired automatically?probably not. will you read the license agreement to the part where it talks about the update ? the agreement says the info will be sent to microsoft. r u sure? how does it establish identity without using any digital certificate. we are here to learn and grow. not to fight. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Gaurav Kumar Chief Information Security Analyst E2 Labs Information Security Pvt. Ltd. Road no. 3 , Banjara Hills Hyderbad-34 AP India gaurav () e2-labs com www.e2-labs.com Phone(s)- Mobile +91 40 31068650 Tele/Fax +91 40 23555942 (ext-24) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ----- Original Message ----- From: "manohar singh" <seclistaddress () yahoo com> To: "Gaurav Kumar" <gaurav () e2-labs com> Cc: <full-disclosure () lists netsys com> Sent: Monday, August 04, 2003 5:52 PM Subject: Re: [Full-disclosure] Microsoft win2003server phone home jeeesus, where's the manager? someone throw these kiddies out puhleese. will you read the license agreement to the part where it talks about the update ? ! Gaurav Kumar <gaurav () e2-labs com> wrote: 1. Is this behavior normal for a windows server installation ? i think that this behavour is normal bcoz as u analyse that session u will get to know that server is trying to update something 2. Could this behavior be considered as a violation of privacy ? this surely a case of violation of privacy as it is not mentioned in agreement. go ahead, sue micro$oft. 3. Could it be considered as a security risk to let a newly installed server, request information from an arbitrary server that I have no control over ? yes its a security risk bcoz it is not even using pki to establish identity of the server. Gaurav Kumar Chief Information Security Analyst E2 Labs Information Security Pvt. Ltd. Hyderbad-34 AP India Phone(s)- Mobile +91 40 31068650 Tele/Fax +91 40 23555942 (ext-24) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ----- Original Message ----- From: "gyrniff" <b240503 () gyrniff dk> To: <full-disclosure () lists netsys com> Sent: Monday, August 04, 2003 3:27 PM Subject: [Full-disclosure] Microsoft win2003server phone home
After acquiring and installing a copy of 'Windows
Server 2003 Standard Edition
180-Day Evaluation' I walked through the 'role
wizard', used the 'custom
role config' and selected everything ;-) After reboot the server made two POST request to
microsoft controlled
webserveres without any notification. One request to
activex.micrisoft.com
and one to codecs.microsoft.com, the data posted to
the two severs was the
same. (See the request and responds below.) I can find no information in the license agreement
about giving away
'information' behind my back. My question: 1. Is this behavior normal for a windows server
installation ?
2. Could this behavior be considered as a violation
of privacy ?
3. Could it be considered as a security risk to let
a newly installed server,
request information from an arbitrary server that I
have no control over ?
**** Posted data to activex.microsoft.com: POST /objects/ocget.dll HTTP/1.1 Accept: application/x-cabinet-win32-x86,
application/x-pe-win32-x86,
application/octet-stream, application/x-setupscript,
*/*
Content-Type: application/x-www-form-urlencoded Accept-Language: da Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.2; .NET CLR
1.1.4322) Host: activex.microsoft.com Content-Length: 44 Connection: Keep-Alive Cache-Control: no-cache CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7} The reply: HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Sun, 03 Aug 2003 09:48:38 GMT Connection: close Content-Type: text/html Content-Length: 102 <html><head><title>Error</title></head><body>The
system cannot find the file
specified. </body></html> *** Postede data to codecs.microsoft.com POST /isapi/ocget.dll HTTP/1.1 Accept: application/x-cabinet-win32-x86,
application/x-pe-win32-x86,
application/octet-stream, application/x-setupscript,
*/*
Content-Type: application/x-www-form-urlencoded Accept-Language: da Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.2; .NET CLR
1.1.4322) Host: codecs.microsoft.com Content-Length: 44 Connection: Keep-Alive Cache-Control: no-cache CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7} And the reply: HTTP/1.1 404 Not Found Connection: close Date: Sun, 03 Aug 2003 09:47:54 GMT Server: Microsoft-IIS/6.0 P3P:
policyref="http://www.microsoft.com/w3c/p3p.xml" CP="ALL IND DSP COR ADM
CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo
CNT COM INT NAV ONL PHY PRE
PUR UNI" X-Powered-By: ASP.NET /Gyrniff _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.netsys.com/full-disclosure-charter.html
__________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft win2003server phone home gyrniff (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home Mike Garegnani (Aug 04)
- Re: Microsoft win2003server phone home Matthew Murphy (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home martin scherer (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- RE: Microsoft win2003server phone home Jason Coombs (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- <Possible follow-ups>
- Re: Microsoft win2003server phone home Orochford (Aug 04)