Possible privary leak converting to website stealing

[Kai Kretschmann <K.Kretschmann () security-gui de>]

Some weeks ago I noticed a small amount of netbios name service 
broadcasts on our internal LAN. First I only though about some sort of 
privacy leak as posted on this list at april 25th.
You could receive name resolution requests for internet domains below 17 
characters length sent via broadcast to every station connected. I found 
it important to say by broadcast, so you don't have to sniff or trick at 
some switches, but you get it delivered right to your desktop!

Now I programmed a little tool which could exploit this behavior even 
further. It's intended as a proof of concept to send false/faked name 
resolution answers to the clients mentioned above. Preferrably with an 
IP number of a web server you already put a perfect mirror of the 
redirected website on. Now you could be able to redirect the clients 
traffic to this site and either fool him with wrong brokerage news or 
convince him to enter his usual passwort account data. It compiled here 
under SuSE Linux 7.2, just enter your domain and ip data on the command 
line.

I tried it in my test LAN and it worked, not only with browsers but also 
with every other windows application, like mysql clients etc., they all 
can be redirected this way. And it works only on domain names up to 16 
characters.

If you ever saw these UDP/137 broadcasts for name resolution requests of 
the form WWW.DOMAIN.COM these clients might be vulnerable to this sort 
of simple attack. You can trigger this behavior for testing reasons on 
any windows pc by disabling dns resolution temporarily, just to trigger 
only these packets.

In real life(tm) we have a broad range of different windows and service 
pack installations so we didn't get a common dominator yet how only some 
clients try to resolve this way.

--
Think Safety
Kai Kretschmann

Attachment: t3.c
Description: