[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <004601c4b161$653d8090$a900a8c0@cybergeneration.com>
From: mducharme at cybergeneration.com (Maxime Ducharme)
Subject: Possibly a stupid question RPC over HTTP
Hi Daniel & Daniel
I agree this can lead to security holes.
There are ways to make it "more secure" (if you can call
it secure), here are some links about this subject :
(sorry for wrapped urls)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
http://www.scripting.com/98/04/stories/bobAtkinsonOnHttpPost.html
http://www.winnetmag.com/MicrosoftExchangeOutlook/Article/ArticleID/40018/MicrosoftExchangeOutlook_40018.html
http://www.sanx.org/tipShow.asp?articleRef=117
http://www.kb.cert.org/vuls/id/698564
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0807
http://searchexchange.techtarget.com/originalContent/0,289142,sid43_gci963557,00.html
Have a nice day
Maxime Ducharme
Programmeur / Sp?cialiste en s?curit? r?seau
----- Original Message -----
From: "Daniel H. Renner" <dan@...angelescomputerhelp.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, October 13, 2004 11:37 AM
Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
> Daniel,
>
> Could you please point out where you read this data? I would like to
> see this one...
> --
> Daniel H. Renner <dan@...angelescomputerhelp.com>
> Los Angeles Computerhelp
>
>
> On Tue, 2004-10-12 at 20:54, full-disclosure-request@...ts.netsys.com
> wrote:
> > Message: 18
> > Date: Tue, 12 Oct 2004 12:41:56 -0700
> > From: "Daniel Sichel" <daniels@...derosatel.com>
> > To: <full-disclosure@...ts.netsys.com>
> > Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP
> >
> > This may just reflect my ignorance, but I read (and found hard to
> > believe) that Microsoft has implemented RPC over HTTP. Is this not a
> > HUGE security hole? If I understand it correctly it means that good old
> > HTML or XML can invoke a process using standard web traffic (port 80)?
> > Is there any permission checking done? what things can be invoked by RPC
> > over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am
> > I right, and if so, how can I detect RPCs in web traffic to block this
> > junk? Can ANY stateful packet filter see this stuff or is the pattern
> > too broad in allowed RPCs?
> >
> > Again, I hope this is not a stupid question or inappropriate format for
> > this, as somebody else recently said, there is already enough noise on
> > this list. I would hate to see this list degenerate, it has been REALLY
> > valuable to me as a network engineer on occaison.
> >
> > Thanks all,
> > Dan Sichel
> > Ponderosa telephone
> > daniels@...derosatel.com
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists