Re: Possibly a stupid question RPC over HTTP

["Maxime Ducharme" <mducharme () cybergeneration com>]

Hi Daniel & Daniel

I agree this can lead to security holes.

There are ways to make it "more secure" (if you can call
it secure), here are some links about this subject :

(sorry for wrapped urls)

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp

http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.scripting.com/98/04/stories/bobAtkinsonOnHttpPost.html
http://www.winnetmag.com/MicrosoftExchangeOutlook/Article/ArticleID/40018/MicrosoftExchangeOutlook_40018.html
http://www.sanx.org/tipShow.asp?articleRef=117
http://www.kb.cert.org/vuls/id/698564
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0807
http://searchexchange.techtarget.com/originalContent/0,289142,sid43_gci963557,00.html

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Daniel H. Renner" <dan () losangelescomputerhelp com>
To: <full-disclosure () lists netsys com>
Sent: Wednesday, October 13, 2004 11:37 AM
Subject: Re: [Full-disclosure] Possibly a stupid question RPC over HTTP


> Daniel,
>
> Could you please point out where you read this data?  I would like to
> see this one...
> -- 
> Daniel H. Renner <dan () losangelescomputerhelp com>
> Los Angeles Computerhelp
>
>
> On Tue, 2004-10-12 at 20:54, full-disclosure-request () lists netsys com
> wrote:
> > Message: 18
> > Date: Tue, 12 Oct 2004 12:41:56 -0700
> > From: "Daniel Sichel" <daniels () Ponderosatel com>
> > To: <full-disclosure () lists netsys com>
> > Subject: [Full-disclosure] Possibly a stupid question RPC over HTTP
> >
> > This may just reflect my ignorance, but I read (and found hard to
> > believe) that Microsoft has implemented RPC over HTTP. Is this not a
> > HUGE security hole? If I understand it correctly it means that good old
> > HTML or XML can invoke a process using standard web traffic (port 80)?
> > Is there any permission checking done? what things can be invoked by RPC
> > over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am
> > I right, and if so, how can I detect RPCs in web traffic to block this
> > junk? Can ANY stateful packet filter see this stuff or is the pattern
> > too broad in allowed RPCs?
> >
> > Again, I hope this is not a stupid question or inappropriate format for
> > this, as somebody else recently said, there is already enough noise on
> > this list. I would hate to see this list degenerate, it has been REALLY
> > valuable to me as a network engineer on occaison.
> >
> > Thanks all,
> > Dan Sichel
> > Ponderosa telephone
> > daniels () ponderosatel com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html