lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: mail_winter at hotpop.com (winter)
Subject: Possibly a stupid question RPC over HTTP

I recall Todd from bindview talking about this in one of his
advisories...that it was possible in IIS, but had to be explicitly switched
on. And also in one of the blackhat (rm) archive methinks.

http://www.securityfocus.com/archive/1/329668

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Rodrigo Barbosa
> Sent: Thursday, 14 October 2004 6:05 AM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Possibly a stupid question RPC 
> over HTTP
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> This is called, in my experience, XML-RPC (google search with lots
> of results). Reference: http://www.xmlrpc.com/spec
> 
> Yes, it is a Remote Procedure Calling implementation. No, it is not
> the same things that the good old udp based RPC used for things
> like NIS and NFS. References: RFC 1057 and RFC 1831.
> 
> That can be the source of confusion. Akin names.
> 
> On Wed, Oct 13, 2004 at 11:37:12AM -0400, Daniel H. Renner wrote:
> > Daniel,
> > 
> > Could you please point out where you read this data?  I 
> would like to
> > see this one...
> > > This may just reflect my ignorance, but I read (and found hard to
> > > believe) that Microsoft has implemented RPC over HTTP. Is 
> this not a
> > > HUGE security hole? If I understand it correctly it means 
> that good old
> > > HTML or XML can invoke a process using standard web 
> traffic (port 80)?
> > > Is there any permission checking done? what things can be 
> invoked by RPC
> > > over HTTP? Jeeze, to me it looks like the barn door is 
> now wide open. Am
> > > I right, and if so, how can I detect RPCs in web traffic 
> to block this
> > > junk? Can ANY stateful packet filter see this stuff or is 
> the pattern
> > > too broad in allowed RPCs?
> > > 
> > > Again, I hope this is not a stupid question or 
> inappropriate format for
> > > this, as somebody else recently said, there is already 
> enough noise on
> > > this list. I would hate to see this list degenerate, it 
> has been REALLY
> > > valuable to me as a network engineer on occaison.
> 
> - -- 
> Rodrigo Barbosa <rodrigob@...spammers.org>
> "Quid quid Latine dictum sit, altum viditur"
> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQFBbYoGpdyWzQ5b5ckRAsMMAJ0bg5ygvKOa1Du66mbW9+gkYfTqVACfewf0
> PPz66l4bre4Gtn1J4dYl6AQ=
> =ZAmy
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ