PaulDotCom mailing list archives
WPAD and MS09-008
From: gbugbear at gmail.com (Tim Mugherini)
Date: Wed, 18 Mar 2009 14:39:52 -0400
Heard you guys mention this patch last week. The Sec Research and Defense Blog on Technet has a pretty good write-up on the patch here: http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx Here's an excerpt: *DNS Server Vulnerability in WPAD Registration* *CVE-2009-0093<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093> *describes an issue with how the *Web Proxy Auto-Discovery,* or WPAD, and the *Intra-Site Automatic Tunnel Addressing Protocol*, or ISATAP, can be abused by an attacker. This is typically a local domain attack where there is a degree of trust between the domain members. The Windows DNS server can allow clients to register their own hostname in the DNS server using dynamic updates. In the most common scenario, this takes place using *secure dynamic updates*, where a client authenticated against the domain can update its own name on the DNS server. If the WPAD or ISATAP names have not yet been registered, a domain-authenticated user could register his own machine as either of these two names. The reason why ISATAP and WPAD are so interesting for an attacker to register, is because they are default names a client will resolve to obtain specific functionality. In the case of WPAD, the name tells the host where to connect for proxy configuration information. In the case of ISATAP, it points to a tunneling server that connects IPv6 hosts over IPv4 networks. WPAD in particular is common enterprise functionality, and as such Microsoft needs to be very careful when releasing a security update to ensure that we both protect our customers, and do not break the functionality they have come to rely upon. The security update we released helps protect customers by implementing a block list on the DNS server, containing a list of names which the DNS server will no longer resolve. This list is implemented as the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ GlobalQueryBlockList If the WPAD and ISATAP names are not registered on the DNS server when the security update is installed this block list is populated with both names. When a client issues a query for one of those names the DNS server will return a negative response, even if an attacker registers it. ... One concern that was raised by a security researcher is that an attacker may have introduced a malicious WPAD entry through a dynamic DNS update. When you install the security update after such an attack has taken place, the WPAD name will not be added to the block list, and the attack will continue to be effective. Of course dis-allowing client updates to DNS or just registering the Entries would solve the issue, but what about laptops leaving the building and connecting to other networks? Simple right? Just turn off "Automatically Detect Settings" in the browser right? Not that simple. GPO support for this does not work and after some searching I was able to find the reg key as follows: Setting in IE Turned off: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections] "DefaultConnectionSettings"=hex:46,00,00,00,0a,00,00,00,*01* ,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,90,d3,b4,d2,2e,a7,c9,01,\ 01,00,00,00,c0,a8,0a,8c,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,c0,\ a8,11,32,00,00,00,00,00,00,00,00,96,c9,23,aa,30,b2,59,16,00,00,00,00,02,00,\ 00,00,00,00,00,00,70,0d,00,00,c8,08,00,00,04,00,00,00,ef,83,0d,00,ef,83,0d,\ 00,00,00,00,00,48,00,00,00,50,00,00,00,48,02,00,00,00,00,00,00,01,00,02,00,\ 10,00,00,00,02,00,01,00,09,00,00,00,03,84,0d,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,53,00,74,00,61,00,74,00,65,00,73,00,29,00,00,00 Setting in IE Turned on: "DefaultConnectionSettings"=hex:46,00,00,00,0a,00,00,00,*09* ,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,90,d3,b4,d2,2e,a7,c9,01,\ 01,00,00,00,c0,a8,0a,8c,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,c0,\ a8,11,32,00,00,00,00,00,00,00,00,96,c9,23,aa,30,b2,59,16,00,00,00,00,02,00,\ 00,00,00,00,00,00,70,0d,00,00,c8,08,00,00,04,00,00,00,ef,83,0d,00,ef,83,0d,\ 00,00,00,00,00,48,00,00,00,50,00,00,00,48,02,00,00,00,00,00,00,01,00,02,00,\ 10,00,00,00,02,00,01,00,09,00,00,00,03,84,0d,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,53,00,74,00,61,00,74,00,65,00,73,00,29,00,00,00 So the ninth hex value is where it is at. If you delete this value then IE will recreate it with default setting (in most cases this would be off but I am questioning if this maybe turned on if default user has it turned on) - still need to test Any additional info would be very welcome. Enjoy! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090318/c776a466/attachment.htm
Current thread:
- WPAD and MS09-008 Tim Mugherini (Mar 18)