lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000d01c35a79$b5386320$c5e0803e@martin>
From: memoxyde at monet.no (martin scherer)
Subject: Microsoft win2003server phone home

> My question:
> 1. Is  this behavior normal for a windows server installation ?

for microsoft? yes.
this behavior can also be seen while installing XP Professional (only one i
tested),
while using netcap or similar programs to sniff packets going in/out of the
network.

> 2.  Could this behavior be considered as a violation of privacy ?
depends on what kind of information is being sent...sounds to me like it's
just checking for activex controllers and codecs, and if there are any
updates..unless there is some evil server behind the fake host, retrieving
all your sensitive information...both could be ;)

> 3.  Could it be considered as a security risk to let a newly installed
server,
> request information from an arbitrary server that I have no control over ?
security in the way that your server might end up getting exploited because
of it?
no, i dont think so..
security in a way that you might get caught using an illegal copy of a
win2003 server?
yup.

----- Original Message ----- 
From: "gyrniff" <b240503@...niff.dk>
To: <full-disclosure@...ts.netsys.com>
Sent: Monday, August 04, 2003 11:57 AM
Subject: [Full-Disclosure] Microsoft win2003server phone home


> After acquiring and installing a copy of 'Windows Server 2003 Standard
Edition
> 180-Day Evaluation' I walked through the 'role wizard',  used the 'custom
> role config' and selected everything ;-)
> After reboot the server made two POST request to microsoft controlled
> webserveres without any notification. One request to activex.micrisoft.com
> and one to codecs.microsoft.com, the data posted to the two severs was the
> same. (See the request and responds below.)
>
> I can find no information in the license agreement about giving away
> 'information' behind my back.
>
> My question:
> 1. Is  this behavior normal for a windows server installation ?
> 2.  Could this behavior be considered as a violation of privacy ?
> 3.  Could it be considered as a security risk to let a newly installed
server,
> request information from an arbitrary server that I have no control over ?
>
> ****
>
> Posted data to activex.microsoft.com:
> POST /objects/ocget.dll HTTP/1.1
> Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86,
> application/octet-stream, application/x-setupscript, */*
> Content-Type: application/x-www-form-urlencoded
> Accept-Language: da
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
> 1.1.4322)
> Host: activex.microsoft.com
> Content-Length: 44
> Connection: Keep-Alive
> Cache-Control: no-cache
>
> CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7}
>
> The reply:
> HTTP/1.1 404 Object Not Found
> Server: Microsoft-IIS/5.0
> Date: Sun, 03 Aug 2003 09:48:38 GMT
> Connection: close
> Content-Type: text/html
> Content-Length: 102
>
> <html><head><title>Error</title></head><body>The system cannot find the
file
> specified. </body></html>
>
> ***
>
> Postede data to codecs.microsoft.com
> POST /isapi/ocget.dll HTTP/1.1
> Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86,
> application/octet-stream, application/x-setupscript, */*
> Content-Type: application/x-www-form-urlencoded
> Accept-Language: da
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
> 1.1.4322)
> Host: codecs.microsoft.com
> Content-Length: 44
> Connection: Keep-Alive
> Cache-Control: no-cache
>
> CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7}
>
> And the reply:
> HTTP/1.1 404 Not Found
> Connection: close
> Date: Sun, 03 Aug 2003 09:47:54 GMT
> Server: Microsoft-IIS/6.0
> P3P: policyref="http://www.microsoft.com/w3c/p3p.xml" CP="ALL IND DSP COR
ADM
> CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY
PRE
> PUR UNI"
> X-Powered-By: ASP.NET
>
>
> /Gyrniff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ