Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: James (njan) Eaton-Lee (james.mailinggmail.com)
Date: Tue Mar 27 2007 - 09:00:36 CDT
George Ou wrote:
> I'm waiting for MS clarification if said surreptitious activity is a new
> vulnerability or purely hypothetical.
It's definitely exploitable; it just relies upon the environment being
configured in a particular way.
In a well setup windows infrastructure, DNS will be configured to
require Secure Dynamic Updates - ie. authenticated updates a la RFC2845.
This means you shouldn't be able to just craft a DNS update using scapy
(or whatever else you'd normally use) to create a WPAD record in the
forward lookup zone from $randomclient. If you're able to authenticate
to the DNS Server, however, you can create whatever records you like,
and ANY domain client can do this.
Case in point; in a best-practice Win2003 AD environment, I've just done
+ Renamed a Vista client to "WPAD" (this requires local admin on the box)
+ Joined it to the domain (in most domains, any domain user can do this
up to 10 times)
At this point, the machine's registered itself via Secure Dynamic
Updates in DNS, and lo and behold...
Now, if I enable automatic proxy detection in IE on a domain client, and
close/reopen IE, I get the following, dumped via ethereal:
GET /wpad.dat HTTP/1.1
HTTP/1.1 404 Not Found
Date: Tue, 27 Mar 2007 13:48:47 GMT
(rest of the IIS7 404 page snipped).
I didn't bother configuring a wpad.dat on the Vista System. (Hey, I'm lazy.)
As soon as I enabled DHCP Option 252 (the WPAD option), this stopped
happening. (Actually, I forgot to do this first, and it wouldn't work; I
had to disable the scope option temporarily and re-acquire my DHCP lease).
So yes, it definitely works, and it's not hypothetical. Vulnerability,
or mis-configuration? Up to you.
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org
"The universe is run by the complex interweaving of three
elements: Energy, matter, and enlightened self-interest." - G'Kar
https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
Dailydave mailing list
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature