...totally disregarding the fact that the requests turned up 404s, this most definately is a violation of privacy, but then again you have to take into account that everytime you make any outbound connection on the internet, and of course vice-versa, that's a privacy issue. if this was one of the first things the OS did after installation then i don't see much reason for concern. all that was posted was a guid, and not to mention it was a 404 so aside from your post showing up somewhere in a log it won't be used or even seen for that matter. but it certainly can be a security issue. anything you don't have control over, or know about (you're lucky you caught this. it could have been worse) can potentially be used against you at some time. kinda makes me wonder how microsoft could hard-code something that isn't even there. but then again we're talking about microsoft. there's always room for plain ol' stupidity. are you sure you didn't load up or happen to come across something using media player (say, clicking on a media file in explorer. there's that little doodad that shows up to the right of the listing that serves as a "preview") anyways... you're safe and sound. your server is bound to save you millions or something like that. no worries. did you even have it hooked up to a network? don't bother answering btw. ----- Original Message ----- From: Gaurav Kumar To: gyrniff Cc: [EMAIL PROTECTED] Sent: Monday, August 04, 2003 4:38 PM Subject: Re: [Full-Disclosure] Microsoft win2003server phone home
1. Is this behavior normal for a windows server installation ? i think that this behavour is normal bcoz as u analyse that session u will get to know that server is trying to update something 2. Could this behavior be considered as a violation of privacy ? this surely a case of violation of privacy as it is not mentioned in agreement. go ahead, sue micro$oft. 3. Could it be considered as a security risk to let a newly installed server, request information from an arbitrary server that I have no control over ? yes its a security risk bcoz it is not even using pki to establish identity of the server. Gaurav Kumar Chief Information Security Analyst E2 Labs Information Security Pvt. Ltd. Hyderbad-34 AP India Phone(s)- Mobile +91 40 31068650 Tele/Fax +91 40 23555942 (ext-24) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ----- Original Message ----- From: "gyrniff" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 04, 2003 3:27 PM Subject: [Full-Disclosure] Microsoft win2003server phone home > After acquiring and installing a copy of 'Windows Server 2003 Standard Edition > 180-Day Evaluation' I walked through the 'role wizard', used the 'custom > role config' and selected everything ;-) > After reboot the server made two POST request to microsoft controlled > webserveres without any notification. One request to activex.micrisoft.com > and one to codecs.microsoft.com, the data posted to the two severs was the > same. (See the request and responds below.) > > I can find no information in the license agreement about giving away > 'information' behind my back. > > My question: > 1. Is this behavior normal for a windows server installation ? > 2. Could this behavior be considered as a violation of privacy ? > 3. Could it be considered as a security risk to let a newly installed server, > request information from an arbitrary server that I have no control over ? > > **** > > Posted data to activex.microsoft.com: > POST /objects/ocget.dll HTTP/1.1 > Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86, > application/octet-stream, application/x-setupscript, */* > Content-Type: application/x-www-form-urlencoded > Accept-Language: da > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR > 1.1.4322) > Host: activex.microsoft.com > Content-Length: 44 > Connection: Keep-Alive > Cache-Control: no-cache > > CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7} > > The reply: > HTTP/1.1 404 Object Not Found > Server: Microsoft-IIS/5.0 > Date: Sun, 03 Aug 2003 09:48:38 GMT > Connection: close > Content-Type: text/html > Content-Length: 102 > > <html><head><title>Error</title></head><body>The system cannot find the file > specified. </body></html> > > *** > > Postede data to codecs.microsoft.com > POST /isapi/ocget.dll HTTP/1.1 > Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86, > application/octet-stream, application/x-setupscript, */* > Content-Type: application/x-www-form-urlencoded > Accept-Language: da > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR > 1.1.4322) > Host: codecs.microsoft.com > Content-Length: 44 > Connection: Keep-Alive > Cache-Control: no-cache > > CLSID={FC7D9E02-3F9E-11D3-93C0-00C04F72DAF7} > > And the reply: > HTTP/1.1 404 Not Found > Connection: close > Date: Sun, 03 Aug 2003 09:47:54 GMT > Server: Microsoft-IIS/6.0 > P3P: policyref="http://www.microsoft.com/w3c/p3p.xml" CP="ALL IND DSP COR ADM > CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE > PUR UNI" > X-Powered-By: ASP.NET > > > /Gyrniff > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html