29 мая, 2009

>> Download <<

Service name registration in local network allows attackers to hijack other users traffic and conduct “man-in-the-middle” attacks. An attacker who successfully conducted this attack could analyze target system Internet traffic including confidential data, such as passwords, credit card numbers, personal correspondence, etc.

There are several ways to register names in a network:

1. Registration on DNS or WINS name server;
2. Certain NetBIOS name usage in a network.

WPAD and ISATAP names are described in the document. These names are used in the following protocols, respectively:

• WPAD (Web Proxy Auto Discovery) is a method used by web clients to automatically locate a browser configuration file used to connect through proxy. The main reason that makes attacks via WPAD such dangerous is that it is widely used in default configuration. Attacks with WPAD protocols are described in a separate article (http://www.securitylab.ru/_download/articles/wpad_weakness_en.pdf);
• ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is an IPv6 transition mechanism meant to transmit IPv6 packets on top of an IPv4 network.

In March 2009 Microsoft published updates for DNS and WINS servers which allow users to prevent a number of attacks with special names but (see the article http://www.securitylab.ru/_download/articles/wpad_weakness_en.pdf) these updates do not eliminate all security problems in the network.

A man-in-the-middle attack vulnerability exists in DNS servers where dynamic update is used and ISATAP and WPAD are not already registered in DNS. This vulnerability could allow a remote authenticated attacker to spoof a web proxy thereby redirect Internet traffic to an address of the attacker's choice.

A man-in-the-middle attack vulnerability exists in WINS servers. This vulnerability could allow a remote authenticated attacker to spoof a web proxy and thereby redirect Internet traffic to an address of the attacker's choice.

Potentially dangerous records could be registered on WINS server.

Utility

>> Download <<

Positive Technologies issued an utility to detect potentially dangerous entries in DNS and WINS services database. The utility also allows to scan available local network to detect hosts with this NetBIOS names.

System administrators and security administrators could control entries in name servers and hosts with dangerous NetBIOS names if they use the utility.

What checks are made and how to fix vulnerabilities

Checks for potentially dangerous entries on WINS server (WPAD; WPAD.; ISATAP). If such entries are detected then check network devices with the names or install the update MS09-008.
Checks for possibility to register potentially dangerous entries on WINS server and further name resolving (WPAD; WPAD.; ISATAP).
If the vulnerability is detected then register static entries for potentially dangerous names or install the update MS09-008.

Analyzing DNS zone name is required for the checks.

• Checks for possibility to dynamically update DNS zone
• It is recommended to allow dynamic updates from authenticated hosts only. Disable zone dynamic updates if not necessary.

Checks for potentially dangerous entries in the DNS zone (wpad, isatap).

• If such entries are detected then check network devices with the names or install the update MS09-008.

Checks for possibility to register potentially dangerous entries in the DNS zone (wpad, isatap). Similar to WINS, a possibility of name resolving after registration is checked
If the vulnerability is detected then register static entries for potentially dangerous names or install the update MS09-008.

The utility gets IP addresses of adapters installed on the host and then sends broadcast NetBIOS request to get IP addresses of computers with potentially dangerous NetBIOS names. Potentially dangerous NetBIOS names are WPAD, WPAD. and ISATAP.
It potentially dangerous name is detected it is necessary to analyze this host owner and take appropriate measures.
Notes:

• The utility does not recognize DNS and WINS services so do not scan hosts without this services – it is useless;
• .NET Framework. Is required for the utility.

Links

1. Article by Sergey Rublev about WPAD technology weaknesses
   http://www.securitylab.ru/_download/articles/wpad_weakness_en.pdf
2. WPAD Registration Vulnerability (Microsoft Security Bulletin)
   http://www.microsoft.com/technet/security/Bulletin/MS09-008.mspx
3. WPAD in Wikipedia
   http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
4. DNS dynamic updates in Windows 2003 Server
   http://support.microsoft.com/kb/816592
5. Changes to WINS server behavior after you install the security update for WINS server
   http://support.microsoft.com/kb/968731
6. ISATAP in Wikipedia
   http://en.wikipedia.org/wiki/ISATAP

Новости: 

• Email-Worm.Win32.Cholera
• Бразильские хакеры не боятся ни энергетического кризиса, ни правительства
• Хакеры атаковали защитников сетевой безопасности из Евросоюза
• Хакеры готовятся к саммиту "большой восьмерки"
• Новый интернет червь дефейсит сайты
• Ущерб от вируса Code Red уже составил цифру в 1,2 миллиарда долларов
• Даже специальные законы не могут спасти CША от CODE RED
• Стерт Крупнейший порносайт
• За день Code Red заразил свыше ста тысяч компьютеров
• Все, что Вы хотели узнать о защите вашего PC