Sunday, November 26, 2006

Test your PC for DCOM vulnerability.

This is a tool that has been around for a while but am not sure how many of you have heard about it or tested your machine for the DCOM vulnerability.

DCOM or Distributed Component Object Model is a technology used to allow system and application components to inter-operate over the network. Applications like paint brush , wordpad etc:- are all DCOm ready which means they are ready to be operated across the network or the public internet. This means if the DCOM is up and running on your system there are applications that are vulnerable in your system which can be taken over by malicious people or this is an open door to worms.

This was an oversight from Microsoft. This was actually introduced with the idea of have COM distributed across the network so that people can work on the component remotely. But this turned out to be the back door for attacks. This was patched later by Microsoft but the problem is that there are still reports that sometimes the patches do not work. Apart from the patches not working for everyone, some of the people using the older versions of Windows could be prone to the DCOM vulnerability.

GRC'sDCOMbobulator is the ideal tool for checking your machine for the DCOM vulnerability and to shut DCOM down since it's use is only for a misuse. Let us have a look at the various aspects in simple terms:-

On the DCombulator you will find three tabs on top. Viz:- "DCOMbobulator?" , " Am I Vulnerable " and "DCOMbobulate Me". The "DCOMbobulator?" tab can be used if you want information on the DCOM and what the DCOMbobulator tool does.

The " Am I Vulnerable " tab is the one that has to be used to find out whether your machine is still vulnerable to DCOM .

Click on the "Local DCOM Test" button and if your machine is then it will show that "DCOM is available and vulnerable" and if this shows even after the machine has been patched it means the patch hasn't been effective. The "Local DCOM Test" button available under this tab will be disabled if your machine have the right service pack or the version that has already taken care of the vulnerability.

Under this tab you will also see the "Remote Port 135 Test" button. This is to test whether your port 135 is open or not. Even if the tool says that DCOM is safely disabled on this system or "not vulnerable" you should use this button to find out whether port 135 is open or not. This will launch your browser and take you to the site to test the port's status.

If it is open it is not good. It is not advised to leave this port open. If you have a firewall and still it says your port is open then you need to close this port. If it is a good firewall the port will be stealthed and the test will show a stealth status.

Also even after DCOM is shutdown still the port is open it simply means that there are other programs like Task Manager using this port. So as long as an application like Task Manager is running this port will be used by it. So if you want to leave applications like that running, use a good firewall to close the port from intrusion. A good firewall will always have the ports stealthed than just displaying a "closed" status.

Ok now let us look at the "DCOMbobulate Me" tab. Under this tab you will find two buttons "DISABLE DCOM" and "ENABLE DCOM".

This means that even if DCOM is patched the component might still be running. And DCOM does not need to be running unless you are a person using it with the purpose of doing something with the COM components across the network. Otherwise this does not have any purpose running and this has to be shut down. So use the "Disable DCOM" button and shut it down.

You can Download DCOMbobulator here.

Also, the UDP port 135 is used by Windows Messenger Service which allows for spam and is a security risk. To close it down you can try the Shoot The Messenger tool.