Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Possibly a stupid question RPC over HTTP
From: "Byron L. Sonne" <blsonne () rogers com>
Date: Wed, 13 Oct 2004 19:45:43 -0400

The doc (http://support.microsoft.com/?id=833401) lists the salient points:

1. Verify that your server computer and your client computer meet the requirements to use RPC over HTTP. 2. Consider important items and recommendations that are described in this article.
3. Configure Exchange to use RPC over HTTP.
4. Configure the RPC virtual directory in Internet Information Services.
5. Configure the RPC proxy server to use specific ports.
6. Configure your client computers to use RPC over HTTP.

And this glorious tidbit:

"The RPC client establishes the Internet connection by tunneling the RPC traffic through the HTTP protocol. Typical RPC communication is not designed for use on the Internet. RPC communication does not work reliably through a firewall that is on the perimeter network. RPC over HTTP helps make it possible to use an RPC client with firewalls that are on the perimeter network. If the RPC client can make an HTTP connection to a remote computer that is running Microsoft Internet Information Services (IIS), that RPC client can connect to any server on the remote network."

This doesn't sound like XML-RPC to me, it sounds like, too literally, someone figured that, in theory, encryption and entity/service identification of whatever sort can be performed reliably and quickly; perfectly so in fact!

So, what you effectively have is a medium/technique/? of communication that is easy to deal with and known fairly well by a fair number of people (http), already cross platform and architecture independant (http and it's text basis, and heck that XDR layer that hangs out with RPC), seems to take hacks well (whatever session management and auth stuff you can cram on either), plays nice with most firewalling, and sheeeeeeit, golly gee lets try and do oldschool RPC, DCOM, DCE-RPC (or whatever it is, can't remember exactly at the moment) and see if it'll quack! It's easier than doing it the right way (notice that I have not suggested one, that's my right as a con-MS bigot ;) and it's here now! Not that I wouldn't giggle at MS binary protocols, encryption intrinsic, designed explicitly for peoples emails getting shuffled over the internet, and I think even they know how well that would go over.

Problem is a medium like that doesn't exist, and the world doesn't correspond 1:1 with computer science theory.

In any case, I gotta grab a cold Orangina and ponder whether I misappropriated copywritten content in this email. Feh.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]