Vulnerability Development mailing list archives
Re: [Fwd: 22 *potential* Windows 2000 holes]
From: "Timothy J. Miller" <cerebus () SACKHEADS ORG>
Date: Fri, 18 Aug 2000 10:04:28 -0500
Blue Boar <BlueBoar () THIEVCO COM> writes:
8. The more it's automated, the easier it is to break! DNS Dynamic update protocol. Updates DNS servers automatically so resource records can be updated w/o administrator intervention. Could there be a possible buffer overflow to write-in your IP address? Or, grab an IP on the network using DHCP. Is DHCP still used? Only secure updates is when Active Directory is installed. W2K professional doesn't come with Active Directory. Otherwise, the zone and the resource records can be modified by users w/o authorization. This means ALL W2K professional machines.
From memory, but I'm pretty confident about it--
DHCP is still used. Win2K DHCP will support just about everyone. If the DNS server is on a Win2K box, *and* it's AD-integrated, the administrator can force DDNS updating to use Kerberos authentication. In cases where the clients may not be capable of this (i.e., any LAN where Win95/98/NT clients are in use) the DHCP server can be configured to register the client addresses on the client's behalf. And since the DHCP server is a domain member server, it can authenticate... Side note-- MS made a lot of hay about how Win2K is perfectly happy registering to bind (v 8.2.1 or later). However, *you* won't be perfectly happy. While DDNS registration works like a champ, bind 8 only gives you IP address authentication for DDNS updates. Since MS hasn't decided yet whether to support X.509 DDNS authentication and I don't know of a version of bind that supports Kerberos, it is perfectly possible to spoof your way into seriously screwing with that name server. For instance, depending on how much I know about your domain, I can (and have, in the lab) completely remove any reference to your domain controller with 1 to 4 spoofed DDNS packets. How's *that* for a DoS? One last DNS note-- Everything registers into the DNS. Everything. All workstations, all servers, all domain controllers. Why? WINS is dead. All resource location takes place using DNS. And MS is using the SRV record DNS extenstions to identify system roles. What this means is that I can identify what type of system and what it does using normal DNS queries only. This is really nice for the attacker with access. He doesn't have to make a lot of noise using obscure packets and protocols to figure out who's doing what on a network; he just has to be able to talk to your DNS server. Isn't this why we got away from HINFO records? Even better-- in a forest or a tree with more than one level, Win2K really *really* REALLY wants to have DNS visibility into each and ever nook and cranny, no matter where it resides. So unless you're jumping through some hoops to prevent it (and by hoops I mean spike-encrusted flaming hoops of pain and suffering), it's possible for a single attacker to map out your entire Win2K domain *INCLUDING SYSTEM ROLES* from a single location using nothing more than normal DNS traffic. Nothing like making things easy for people, is there?
10. With using Active Directory, may have to break Kerberos V.5 or x.509 certificates which may be tough. Unless, you get into Active Directory after the certificate information is passed and before the 'good stuff' is presented. Something similar to TCP/IP piggyback or TCP/IP hijacking. Can a man in the middle attack be done between the authorization of the Kerberos Certificate and when the other information is passed?
No can do; Kerberos is a pretty damn fine protocol and MS doesn't appear to have messed it up too much. The PKINIT Kerberos authentication extension is pretty solid, IMHO, and eliminates the bad password possibilities. If you can break a ticket before that ticket expires, I'd like to know about it. Please. That way I can invest in whatever company you choose to start up. Of course, if you can snarf the ticket and then execute a clock roll-back attack, all bets are off. Did I mention that Win2K is using NTP? Hmmm, I wonder how secure *that* is...
11. With transitive trusts, is it possible that all computers can link to each other until eventually, everyone is trusting everyone and we're really all on one BIG network. Ah, we can dream, can't we? Won't this make security fun if everything is completely open?
Yes. 8) Another implication for big-ass domains is that of directory corruption. Recall that in AD, all AD servers are peers. Last write (that funky little USN) wins. What happens if, say, one site mucks with the directory schema a little bit (a bug, a by-hand edit of the AD database, giving Schema Admin to the wrong person, etc.)? It's going to replicate. Everywhere. And then things will start to break. How do you recover? You have to stop replication to stop the spreading corruption. Then you have to identify *all* the corrupted DCs. Then you need to restore them (You *do* have backups, right?). Then you need to hook them all back together again and *pray to whatever deity suits your fancy* you didn't miss even *one* corrupted DC. If you did, it starts all over again. How'd you like to be on *that* conference call? "Ok, let's make sure everyone's here! I've got the POCs for all 234 sites, so when I call your name say 'present'..."
13. Can you spoof being a domain controller on the network?
Not bloody likely.
Current thread:
- [Fwd: 22 *potential* Windows 2000 holes] Blue Boar (Aug 17)
- Re: [Fwd: 22 *potential* Windows 2000 holes] Timothy J. Miller (Aug 18)
- <Possible follow-ups>
- Re: [Fwd: 22 *potential* Windows 2000 holes] Symon Thurlow (Aug 21)