Re: Microsoft win2003server phone home

["Mike Garegnani" <headhoncho () subverter net>]

...totally disregarding the fact that the requests turned up 404s, this most
definately is a violation of privacy, but then again you have to take into
account that everytime you make any outbound connection on the internet, and
of course vice-versa, that's a privacy issue. if this was one of the first
things the OS did after installation then i don't see much reason for
concern. all that was posted was a guid, and not to mention it was a 404 so
aside from your post showing up somewhere in a log it won't be used or even
seen for that matter. but it certainly can be a security issue. anything you
don't have control over, or know about (you're lucky you caught this. it
could have been worse) can potentially be used against you at some time.
kinda makes me wonder how microsoft could hard-code something that isn't
even there. but then again we're talking about microsoft. there's always
room for plain ol' stupidity. are you sure you didn't load up or happen to
come across something using media player (say, clicking on a media file in
explorer. there's that little doodad that shows up to the right of the
listing that serves as a "preview") anyways... you're safe and sound. your
server is bound to save you  millions or something like that. no worries.
did you even have it hooked up to a network? don't bother answering btw.
----- Original Message ----- 
From: Gaurav Kumar
To: gyrniff
Cc: full-disclosure () lists netsys com
Sent: Monday, August 04, 2003 4:38 PM
Subject: Re: [Full-disclosure] Microsoft win2003server phone home


 1. Is  this behavior normal for a windows server installation ?
i think that this behavour is normal bcoz as u analyse that session u will
get to know that server is trying to update something

 2.  Could this behavior be considered as a violation of privacy ?
this surely a case of violation of privacy as it is not mentioned in
agreement. go ahead, sue micro$oft.

 3.  Could it be considered as a security risk to let a newly installed
server,
request information from an arbitrary server that I have no control over ?
yes its a security risk bcoz it is not even using pki to establish identity
of the server.


Gaurav Kumar

Chief Information Security Analyst
E2 Labs Information Security Pvt. Ltd.
Hyderbad-34
AP
India

Phone(s)-
Mobile      +91 40 31068650
Tele/Fax   +91 40 23555942 (ext-24)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
----- Original Message ----- 
From: "gyrniff" <b240503 () gyrniff dk>
To: <full-disclosure () lists netsys com>
Sent: Monday, August 04, 2003 3:27 PM
Subject: [Full-disclosure] Microsoft win2003server phone home


> After acquiring and installing a copy of 'Windows Server 2003 Standard
Edition
> 180-Day Evaluation' I walked through the 'role wizard',  used the 'custom
> role config' and selected everything ;-)
> After reboot the server made two POST request to microsoft controlled
> webserveres without any notification. One request to activex.micrisoft.com
> and one to codecs.microsoft.com, the data posted to the two severs was the
> same. (See the request and responds below.)
>
> I can find no information in the license agreement about giving away
> 'information' behind my back.
>
> My question:
> 1. Is  this behavior normal for a windows server installation ?
> 2.  Could this behavior be considered as a violation of privacy ?
> 3.  Could it be considered as a security risk to let a newly installed
server,
> request information from an arbitrary server that I have no control over ?
>
> ****
>
> Posted data to activex.microsoft.com:
> POST /objects/ocget.dll HTTP/1.1
> Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86,
> application/octet-stream, application/x-setupscript, */*
> Content-Type: application/x-www-form-urlencoded
> Accept-Language: da
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
> 1.1.4322)
> Host: activex.microsoft.com
> Content-Length: 44
> Connection: Keep-Alive
> Cache-Control: no-cache
>
> CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7}
>
> The reply:
> HTTP/1.1 404 Object Not Found
> Server: Microsoft-IIS/5.0
> Date: Sun, 03 Aug 2003 09:48:38 GMT
> Connection: close
> Content-Type: text/html
> Content-Length: 102
>
> <html><head><title>Error</title></head><body>The system cannot find the
file
> specified. </body></html>
>
> ***
>
> Postede data to codecs.microsoft.com
> POST /isapi/ocget.dll HTTP/1.1
> Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86,
> application/octet-stream, application/x-setupscript, */*
> Content-Type: application/x-www-form-urlencoded
> Accept-Language: da
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
> 1.1.4322)
> Host: codecs.microsoft.com
> Content-Length: 44
> Connection: Keep-Alive
> Cache-Control: no-cache
>
> CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7}
>
> And the reply:
> HTTP/1.1 404 Not Found
> Connection: close
> Date: Sun, 03 Aug 2003 09:47:54 GMT
> Server: Microsoft-IIS/6.0
> P3P: policyref="http://www.microsoft.com/w3c/p3p.xml"; CP="ALL IND DSP COR
ADM
> CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY
PRE
> PUR UNI"
> X-Powered-By: ASP.NET
>
>
> /Gyrniff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html