PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

WPAD and MS09-008

From: gbugbear at gmail.com (Tim Mugherini)
Date: Wed, 18 Mar 2009 14:39:52 -0400
Heard you guys mention this patch last week.

The Sec Research and Defense Blog on Technet has a pretty good write-up on
the patch here:

http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx

Here's an excerpt:

*DNS Server Vulnerability in WPAD Registration*

*CVE-2009-0093<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093>
*describes an issue with how the *Web Proxy Auto-Discovery,* or WPAD, and
the *Intra-Site Automatic Tunnel Addressing Protocol*, or ISATAP, can be
abused by an attacker.

This is typically a local domain attack where there is a degree of trust
between the domain members. The Windows DNS server can allow clients to
register their own hostname in the DNS server using dynamic updates. In the
most common scenario, this takes place using *secure dynamic updates*, where
a client authenticated against the domain can update its own name on the DNS
server. If the WPAD or ISATAP names have not yet been registered, a
domain-authenticated user could register his own machine as either of these
two names.

The reason why ISATAP and WPAD are so interesting for an attacker to
register, is because they are default names a client will resolve to obtain
specific functionality. In the case of WPAD, the name tells the host where
to connect for proxy configuration information. In the case of ISATAP, it
points to a tunneling server that connects IPv6 hosts over IPv4 networks.

WPAD in particular is common enterprise functionality, and as such Microsoft
needs to be very careful when releasing a security update to ensure that we
both protect our customers, and do not break the functionality they have
come to rely upon.

The security update we released helps protect customers by implementing a
block list on the DNS server, containing a list of names which the DNS
server will no longer resolve. This list is implemented as the following
registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\

GlobalQueryBlockList

If the WPAD and ISATAP names are not registered on the DNS server when the
security update is installed this block list is populated with both names.
When a client issues a query for one of those names the DNS server will
return a negative response, even if an attacker registers it.
...

One concern that was raised by a security researcher is that an attacker may
have introduced a malicious WPAD entry through a dynamic DNS update. When
you install the security update after such an attack has taken place, the
WPAD name will not be added to the block list, and the attack will continue
to be effective.


Of course dis-allowing client updates to DNS or just registering the Entries
would solve the issue, but what about laptops leaving the building and
connecting to other networks?

Simple right? Just turn off "Automatically Detect Settings" in the browser
right? Not that simple. GPO support for this does not work and after some
searching I was able to find the reg key as follows:

Setting in IE Turned off:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections]



"DefaultConnectionSettings"=hex:46,00,00,00,0a,00,00,00,*01*
,00,00,00,00,00,00,\


00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,90,d3,b4,d2,2e,a7,c9,01,\


01,00,00,00,c0,a8,0a,8c,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,c0,\


a8,11,32,00,00,00,00,00,00,00,00,96,c9,23,aa,30,b2,59,16,00,00,00,00,02,00,\


00,00,00,00,00,00,70,0d,00,00,c8,08,00,00,04,00,00,00,ef,83,0d,00,ef,83,0d,\


00,00,00,00,00,48,00,00,00,50,00,00,00,48,02,00,00,00,00,00,00,01,00,02,00,\


10,00,00,00,02,00,01,00,09,00,00,00,03,84,0d,00,00,00,00,00,00,00,00,00,00,\

  00,00,00,00,00,00,00,53,00,74,00,61,00,74,00,65,00,73,00,29,00,00,00



Setting in IE Turned on:



"DefaultConnectionSettings"=hex:46,00,00,00,0a,00,00,00,*09*
,00,00,00,00,00,00,\


00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,90,d3,b4,d2,2e,a7,c9,01,\


01,00,00,00,c0,a8,0a,8c,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,c0,\


a8,11,32,00,00,00,00,00,00,00,00,96,c9,23,aa,30,b2,59,16,00,00,00,00,02,00,\


00,00,00,00,00,00,70,0d,00,00,c8,08,00,00,04,00,00,00,ef,83,0d,00,ef,83,0d,\


00,00,00,00,00,48,00,00,00,50,00,00,00,48,02,00,00,00,00,00,00,01,00,02,00,\


10,00,00,00,02,00,01,00,09,00,00,00,03,84,0d,00,00,00,00,00,00,00,00,00,00,\

  00,00,00,00,00,00,00,53,00,74,00,61,00,74,00,65,00,73,00,29,00,00,00



So the ninth hex value is where it is at. If you delete this value then IE
will recreate it with default setting (in most cases this would be off but I
am questioning if this maybe turned on if default user has it turned on) -
still need to test


Any additional info would be very welcome.


Enjoy!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090318/c776a466/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: