Re: [Fwd: 22 *potential* Windows 2000 holes]

["Timothy J. Miller" <cerebus () SACKHEADS ORG>]

Blue Boar <BlueBoar () THIEVCO COM> writes:

> > 8. The more it's automated, the easier it is to break! DNS Dynamic update
> > protocol. Updates DNS servers automatically so resource records can be
> > updated w/o administrator intervention. Could there be a possible buffer
> > overflow to write-in your IP address? Or, grab an IP on the network using
> > DHCP. Is DHCP still used? Only secure updates is when  Active Directory is
> > installed. W2K professional doesn't come with Active Directory. Otherwise,
> > the zone and the resource records can be modified by users w/o
> > authorization. This means ALL W2K professional machines.

> From memory, but I'm pretty confident about it--

DHCP is still used.  Win2K DHCP will support just about everyone.  If
the DNS server is on a Win2K box, *and* it's AD-integrated, the
administrator can force DDNS updating to use Kerberos authentication.
In cases where the clients may not be capable of this (i.e., any LAN
where Win95/98/NT clients are in use) the DHCP server can be
configured to register the client addresses on the client's behalf.
And since the DHCP server is a domain member server, it can
authenticate...

Side note--  MS made a lot of hay about how Win2K is perfectly happy
registering to bind (v 8.2.1 or later).  However, *you* won't be
perfectly happy.  While DDNS registration works like a champ, bind 8
only gives you IP address authentication for DDNS updates.  Since MS
hasn't decided yet whether to support X.509 DDNS authentication and I
don't know of a version of bind that supports Kerberos, it is
perfectly possible to spoof your way into seriously screwing with that
name server.

For instance, depending on how much I know about your domain, I can
(and have, in the lab) completely remove any reference to your domain
controller with 1 to 4 spoofed DDNS packets.  How's *that* for a DoS?

One last DNS note-- Everything registers into the DNS.  Everything.
All workstations, all servers, all domain controllers.  Why?  WINS is
dead.  All resource location takes place using DNS.  And MS is using
the SRV record DNS extenstions to identify system roles.

What this means is that I can identify what type of system and what it
does using normal DNS queries only.  This is really nice for the
attacker with access.  He doesn't have to make a lot of noise using
obscure packets and protocols to figure out who's doing what on a
network; he just has to be able to talk to your DNS server.  Isn't
this why we got away from HINFO records?

Even better-- in a forest or a tree with more than one level, Win2K
really *really* REALLY wants to have DNS visibility into each and ever
nook and cranny, no matter where it resides.  So unless you're jumping
through some hoops to prevent it (and by hoops I mean spike-encrusted
flaming hoops of pain and suffering), it's possible for a single
attacker to map out your entire Win2K domain *INCLUDING SYSTEM ROLES*
from a single location using nothing more than normal DNS traffic.

Nothing like making things easy for people, is there?

> > 10. With using Active Directory, may have to break Kerberos V.5 or x.509
> > certificates which may be tough. Unless, you get into Active Directory
> > after the certificate information is passed and before the 'good stuff' is
> > presented. Something similar to TCP/IP piggyback or TCP/IP hijacking. Can a
> > man in the middle attack be done between the authorization of the Kerberos
> > Certificate and when the other information is passed?

No can do; Kerberos is a pretty damn fine protocol and MS doesn't
appear to have messed it up too much.  The PKINIT Kerberos
authentication extension is pretty solid, IMHO, and eliminates the bad
password possibilities.

If you can break a ticket before that ticket expires, I'd like to know
about it.  Please.  That way I can invest in whatever company you
choose to start up.

Of course, if you can snarf the ticket and then execute a clock
roll-back attack, all bets are off.  Did I mention that Win2K is using
NTP?  Hmmm, I wonder how secure *that* is...

> > 11. With transitive trusts, is it possible that all computers can link to
> > each other until eventually, everyone is trusting everyone and we're really
> > all on one BIG network. Ah, we can dream, can't we? Won't this make
> > security fun if everything is completely open?

Yes.  8)

Another implication for big-ass domains is that of directory
corruption.  Recall that in AD, all AD servers are peers.  Last write
(that funky little USN) wins.  What happens if, say, one site mucks
with the directory schema a little bit (a bug, a by-hand edit of the
AD database, giving Schema Admin to the wrong person, etc.)?

It's going to replicate.  Everywhere.  And then things will start to
break.

How do you recover?  You have to stop replication to stop the
spreading corruption.  Then you have to identify *all* the corrupted
DCs.  Then you need to restore them (You *do* have backups, right?).
Then you need to hook them all back together again and *pray to
whatever deity suits your fancy* you didn't miss even *one* corrupted
DC.  If you did, it starts all over again.

How'd you like to be on *that* conference call?  "Ok, let's make sure
everyone's here!  I've got the POCs for all 234 sites, so when I call
your name say 'present'..."

> > 13. Can you spoof being a domain controller on the network?

Not bloody likely.