Here is an interesting security issue on COM+ proxies. It is such a biggy in terms of exposure & impact it has on the application. My customer was facing this issue where the generated COM+ proxies had all the source code of the services component. huh..... 


Here is the scenario we investigated:

 

Background :
Enterprise Services Proxies( 2.0 Framework, windows server 2003 32 bit) are generated via the Component Services MMC on the application tier by using the Expert Wizard and the resulting proxies are being deployed on the web tier.

 

Issue / Security Concern:

The deployed proxies contain all the source code of the original Enterprise Services component. Is this Normal? Think about this……… hmmmmm.

Shouldn’t the generated proxies just contain enough just information for marshaling the COM+(DCOM) calls back and forth to the Application Tier  where COM+ apps reside? 

Tools like reflector can be used to view the entire source code. 

In our specific case, the COM+ proxies are deployed for use on a public ASP.NET 2.0 IIS 6.0 web server.  Even though you may protect your COM+ applications behind the firewall.  However, if the public web server is compromised, in theory all of the COM+ source code could be exposed.  This includes all of the application security code in place in the COM+ Applications. huh…. if the bad guy compromise the web server, he can now use reflector like tools to view the entire source code which should  ideally be only on application tier. Now he can even write his own malicious code to talk to the application tier. This problem becomes critical where COM+ components are configured to be called by anonymous users.

 

Definately the idea of having to deploy all source code on the public web server does not seem to be good from a security perspective.

 

What was wrong?

Simple mistake but its impact was huge...  developers were not separating the interface definitions from class implementations.  If you do this, the generated proxies will be pure & compact.
 

More information on this - MSDN: http://msdn2.microsoft.com/en-gb/library/ms679498.aspx  

 

“It is recommended that you separate the interface definitions from the class implementations. Otherwise, the set of DLLs or type libraries included in the COM+ application proxy will include actual server code.”


Cheers & keep it secure