Is this an undetected exploit?

Hi
  A friend of mine was able to "reset" my computer running fully patched XP Sp2. By reset I mean restart it in a way that would resemble pressing the power reset to cause the machine to power recycle.

After further investigation, I found that the problem had to do with DCOM. Somehow they were able to use Port 80 to control DCOM, and cause my machine to reset.

I disabled DCOM, and I asked them to do whatever they did again, and it failed. So my question is , why is this vulnerability left unpatched? Why not debrecate DCOM all together?


I learened that blocking port 135 does not mean you will be safe. These people are using other ports too.

SecretSoftware wrote:

Hi
  A friend of mine was able to "reset" my computer running fully patched XP Sp2. By reset I mean restart it in a way that would resemble pressing the power reset to cause the machine to power recycle.

After further investigation, I found that the problem had to do with DCOM. Somehow they were able to use Port 80 to control DCOM, and cause my machine to reset.

I disabled DCOM, and I asked them to do whatever they did again, and it failed. So my question is , why is this vulnerability left unpatched? Why not debrecate DCOM all together?


I learened that blocking port 135 does not mean you will be safe. These people are using other ports too.

Hmm... well I wonder what data they sent?

and of course one should always turn off any tcp/udp services not needed.

but it sounds like some use of WMI or related tech.

in large corp networks they can do updates to masses of pc's using wake on lan, wmi, sms and related tech.

that often means that @ say 2am a pc comes on via WOL and gets stuff done and then gets a remote shutdown or reboot cmd when needed.

There are tools in XP/2k resource kits that enable you to do this. There is a setting in your local policy that you can prevent this.

We used to pull this trick at work all the time

CodeMonkey666 wrote:



There are tools in XP/2k resource kits that enable you to do this. There is a setting in your local policy that you can prevent this.

We used to pull this trick at work all the time

But that is in LAN. I am talking over internet. 2 different ISPs in 2 Different Countries.

Also, what security policy  are you talking about ? care to clarify?

Mind you that, I am blocking 70% of total IPs in the entire internet.

http://support.microsoft.com/kb/317371

I never tried this over the internet though. I will dig around and find the policy that prohibits this.

updated -

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Description

Determines which users are allowed to shut down a computer from a remote location on the network.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default:

• On workstations and servers: Administrators.
• On domain controllers: Administrators, Server Operators.

For more information, see:

• Shut down the system
• Security Configuration Manager Tools

SecretSoftware wrote:

Hi
  A friend of mine was able to "reset" my computer running fully patched XP Sp2. By reset I mean restart it in a way that would resemble pressing the power reset to cause the machine to power recycle.

After further investigation, I found that the problem had to do with DCOM. Somehow they were able to use Port 80 to control DCOM, and cause my machine to reset.

I disabled DCOM, and I asked them to do whatever they did again, and it failed. So my question is , why is this vulnerability left unpatched? Why not debrecate DCOM all together?


I learened that blocking port 135 does not mean you will be safe. These people are using other ports too.

What process is listening on port 80?  If it's IIS what do your logs show for the url requested (if you have any logs)

PerfectPhase wrote:



SecretSoftware wrote: Hi   A friend of mine was able to "reset" my computer running fully patched XP Sp2. By reset I mean restart it in a way that would resemble pressing the power reset to cause the machine to power recycle. After further investigation, I found that the problem had to do with DCOM. Somehow they were able to use Port 80 to control DCOM, and cause my machine to reset. I disabled DCOM, and I asked them to do whatever they did again, and it failed. So my question is , why is this vulnerability left unpatched? Why not debrecate DCOM all together? I learened that blocking port 135 does not mean you will be safe. These people are using other ports too.

What process is listening on port 80?  If it's IIS what do your logs show for the url requested (if you have any logs)

I visited a Url hosted on my friends server, then the reset happened. All I know is that by disabling DCOM the exploit failed to kill my system.

Are you using Windows Firewall?  According to this Microsoft KB article, Windows Firewall won't work properly if the DCOM Service Process Launcher is disabled.

http://support.microsoft.com/kb/892504/

SecretSoftware wrote:



PerfectPhase wrote:  SecretSoftware wrote: Hi   A friend of mine was able to "reset" my computer running fully patched XP Sp2. By reset I mean restart it in a way that would resemble pressing the power reset to cause the machine to power recycle. After further investigation, I found that the problem had to do with DCOM. Somehow they were able to use Port 80 to control DCOM, and cause my machine to reset. I disabled DCOM, and I asked them to do whatever they did again, and it failed. So my question is , why is this vulnerability left unpatched? Why not debrecate DCOM all together? I learened that blocking port 135 does not mean you will be safe. These people are using other ports too. What process is listening on port 80?  If it's IIS what do your logs show for the url requested (if you have any logs)

I visited a Url hosted on my friends server, then the reset happened. All I know is that by disabling DCOM the exploit failed to kill my system.

What exactly happened?
Your explanation is so vague that no one knows what you are talking about. DCOM controlling port 80? What does that even mean?

How did you disable DCom. via registry?
What is the url to this friend's site?
Were you asked to install something from the site?
What browser are you using?
If using IE, what are your security settings?
What made you connect the event to dcom?

//ya depracate dcom, that is a great idea <sarcasm/>

JChung2006 wrote:

Are you using Windows Firewall?  According to this Microsoft KB article, Windows Firewall won't work properly if the DCOM Service Process Launcher is disabled.

http://support.microsoft.com/kb/892504/

No, I use 3rd party firewall called Oupost Firewall Pro. I configured it properly, But given that any firewall will not monitor port 80 (browser) crackers are using it to get into your system and attack vulnerablilities in your system.

The good thing about Outpost firewall is that you can write custom plugins into the firewall. I will write a packet blocker, that looks for bad packet behavior and drop them.

Its amazing that you think that your system is secure, but then you discover something like this and you recalculate all your defensive measures again.

Hmmm. what other exploits are not yet patched?

SecretSoftware wrote:



JChung2006 wrote: Are you using Windows Firewall?  According to this Microsoft KB article, Windows Firewall won't work properly if the DCOM Service Process Launcher is disabled. http://support.microsoft.com/kb/892504/

No, I use 3rd party firewall called Oupost Firewall Pro. I configured it properly, But given that any firewall will not monitor port 80 (browser) crackers are using it to get into your system and attack vulnerablilities in your system.

The good thing about Outpost firewall is that you can write custome plugins into the firewall. I will write a packet blocker, that looks for bad packet behavior and drop them.

Its amazing that you think that your system is secure, but then you discover something like this and you recalculate all your defensive measures again.

Hmmm. what other exploits are not yet patched?

Port 80 is the port that web servers listen on, not web clients.

try -->netstat -an

What firewall doesn't let you configure port 80?

if you don't have a service listening on port 80 (like a Web SERVER), then there is nothing to exploit.

Honestly, it sounds like you have a trojan already installed, that's the first thing that comes to my mind anyway.

run netstat -an, and post your results.

phreaks wrote:



SecretSoftware wrote:  PerfectPhase wrote:  SecretSoftware wrote: Hi   A friend of mine was able to "reset" my computer running fully patched XP Sp2. By reset I mean restart it in a way that would resemble pressing the power reset to cause the machine to power recycle. After further investigation, I found that the problem had to do with DCOM. Somehow they were able to use Port 80 to control DCOM, and cause my machine to reset. I disabled DCOM, and I asked them to do whatever they did again, and it failed. So my question is , why is this vulnerability left unpatched? Why not debrecate DCOM all together? I learened that blocking port 135 does not mean you will be safe. These people are using other ports too. What process is listening on port 80?  If it's IIS what do your logs show for the url requested (if you have any logs) I visited a Url hosted on my friends server, then the reset happened. All I know is that by disabling DCOM the exploit failed to kill my system.

What exactly happened?
Your explanation is so vague that no one knows what you are talking about. DCOM controlling port 80? What does that even mean?

How did you disable DCom. via registry?
What is the url to this friend's site?
Were you asked to install something from the site?
What browser are you using?
If using IE, what are your security settings?
What made you connect the event to dcom?

//ya depracate dcom, that is a great idea <sarcasm/>

I am still investigating. Somehow through the browser DCOM was invoked, and it reset my pc. This was repreducable, when DCOM is not disabled. When its enabled, it happens.

I did not disable it from the registry, but by removing the check box from DCOM in Computer management/Component Services/MyComputer properties (uncheck Enable Distributed COM On this computer). I was using IE7 (default out of the box settings).

"Somehow" they were able to use port 80 to exploit my system and to use DCOM to cause it to power cycle. I am still looking into how that happened.

SecretSoftware wrote:



phreaks wrote:  What exactly happened? Your explanation is so vague that no one knows what you are talking about. DCOM controlling port 80? What does that even mean? How did you disable DCom. via registry? What is the url to this friend's site? Were you asked to install something from the site? What browser are you using? If using IE, what are your security settings? What made you connect the event to dcom? //ya depracate dcom, that is a great idea <sarcasm/>

I am still investigating. Somehow through the browser DCOM was invoked, and it reset my pc. This was repreducable, when DCOM is not disabled. When its enabled, it happens.

I did not disable it from the registry, but by removing the check box from DCOM in Computer management/Component Services/MyComputer properties (uncheck Enable Distributed COM On this computer). I was using IE7 (default out of the box settings).

"Somehow" they were able to use port 80 to exploit my system and to use DCOM to cause it to power cycle. I am still looking into how that happened.

What do you have running on port 80.
If you don't tell us, we can't help you.

from a cmd prompt, type: netstat -an and let us know what is listening on your port 80

phreaks wrote:



SecretSoftware wrote:  JChung2006 wrote: Are you using Windows Firewall?  According to this Microsoft KB article, Windows Firewall won't work properly if the DCOM Service Process Launcher is disabled. http://support.microsoft.com/kb/892504/ No, I use 3rd party firewall called Oupost Firewall Pro. I configured it properly, But given that any firewall will not monitor port 80 (browser) crackers are using it to get into your system and attack vulnerablilities in your system. The good thing about Outpost firewall is that you can write custome plugins into the firewall. I will write a packet blocker, that looks for bad packet behavior and drop them. Its amazing that you think that your system is secure, but then you discover something like this and you recalculate all your defensive measures again. Hmmm. what other exploits are not yet patched?

Port 80 is the port that web servers listen on, not web clients.

try -->netstat -an

What firewall doesn't let you configure port 80?

if you don't have a service listening on port 80 (like a Web SERVER), then there is nothing to exploit.

Honestly, it sounds like you have a trojan already installed, that's the first thing that comes to my mind anyway.

run netstat -an, and post your results.

I have a process listening in port 80. I do not wish to say what it does exactly, but I am sure its secure. This trick they used to recycle my system , as my system log shows, had to do with DCOM. When I disabled DCOM , and tried the same steps that resulted in that exploit, my system did not power recycle. Hence someone somewhere is able to "somehow" communicate to DCOM after contacting my pc through port 80 (normal browsing port).

Because this is the first time I experiance this, I am still trying to learn how / what exactly they sent that would compromise running services in my system.

Maybe the website i visted had downloaded something into memory that would somehow do this? Not sure.

SecretSoftware wrote:



I have a process listening in port 80. I do not wish to say what it does exactly, but I am sure its secure.
 

If you're sure it was compromised via port 80, than obviously it's NOT secure.

SecretSoftware wrote:



This trick they used to recycle my system , as my system log shows, had to do with DCOM.

What exactly does your log say?

SecretSoftware wrote:


When I disabled DCOM , and tried the same steps that resulted in that exploit, my system did not power recycle. Hence someone somewhere is able to "somehow" communicate to DCOM after contacting my pc through port 80 (normal browsing port).

For the umpeenth time, port 80 IS NOT 'a browsing' port. Your browser will connect TO port 80 (remotely) and listen on a random port.

So let's make sure I understand this.

1) You have some service listening on port 80, you won't disclose what that service is, but you are 'sure' it is secure.

2) Along with your service on port 80, you also are telling me that your web browser functions locally on this port as well. (which is not true)

The exploit may very well be using port 80, and may very well be using DCOM as the transport, but the vulnerabilty is with whatever your port 80 service is and not with DCOM itself.

So what do you have listening on port 80, either tell us or stop this nonsense.

And don't tell me that it's Internet Explorer listening on port 80 (or any other web client) because they don't work like that.

Here is a description of what happened:

Friend (Russia): Hi
Me (Here) : Hello.
Friend (Russia): Check this out @ URL
Me (Here) : Okay, one second.
Friend (Russia): Did you checked?
Me (Here): Yes, its a white page, nothing is there.
Friend (Russia): Okay wait.
Me (Here): Goes offline.
=================
Computer went offline (Just like Pressing Power Reset button)
=================
Goes online again.
----------------------
Me (Here) : Hi, what was that?
Friend (Russia): was that cool?
Me (Here) : No it was not, my system rebooted:(
Friend (Russia): LOL.
=========
I checked system Log found last error with DCOM
Disable DCOM
------------------
Me (Here): Can you do it again.
Friend (Russia): OK, go to the URL
Me (Here): Done.
Friend (Russia): Did you do something?
Me (Here): Yes.
Friend (Russia) : LOL, okay.

etc...


So All I know is that DCOM was being used to reset my system. Now you know as much As I know.

SecretSoftware wrote:

Here is a description of what happened:

Friend (Russia): Hi
Me (Here) : Hello.
Friend (Russia): Check this out @ URL
Me (Here) : Okay, one second.
Friend (Russia): Did you checked?
Me (Here): Yes, its a white page, nothing is there.
Friend (Russia): Okay wait.
Me (Here): Goes offline.
=================
Computer went offline (Just like Pressing Power Reset button)
=================
Goes online again.
----------------------
Me (Here) : Hi, what was that?
Friend (Russia): was that cool?
Me (Here) : No it was not, my system rebooted
Friend (Russia): LOL.
=========
I checked system Log found last error with DCOM
Disable DCOM
------------------
Me (Here): Can you do it again.
Friend (Russia): OK, go to the URL
Me (Here): Done.
Friend (Russia): Did you do something?
Me (Here): Yes.
Friend (Russia) : LOL, okay.

etc...


So All I know is that DCOM was being used to reset my system. Now you know as much As I know.

Well what where you talking about port 80 for?

//Can you give us the url?

I do not wish to post the URL , because its hosted at my friends server. Secondly, I know how browsers work. In my system the browser uses local port 80 to connect to remote web servers.


This is the way its done for reasons I do not wish to discuss. But , the problem is that DCOM has a problem that would power recycle a fully patched WinXP SP2. That is all I know. And my friend does not want to tell me what they did exactly.


So for now I disabled it, as I dont really use DCOM.