29 мая, 2009
Service name registration in local network allows attackers to hijack other users traffic and conduct “man-in-the-middle” attacks. An attacker who successfully conducted this attack could analyze target system Internet traffic including confidential data, such as passwords, credit card numbers, personal correspondence, etc.
There are several ways to register names in a network:
WPAD and ISATAP names are described in the document. These names are used in the following protocols, respectively:
In March 2009 Microsoft published updates for DNS and WINS servers which allow users to prevent a number of attacks with special names but (see the article http://www.securitylab.ru/_download/articles/wpad_weakness_en.pdf) these updates do not eliminate all security problems in the network.
A man-in-the-middle attack vulnerability exists in DNS servers where dynamic update is used and ISATAP and WPAD are not already registered in DNS. This vulnerability could allow a remote authenticated attacker to spoof a web proxy thereby redirect Internet traffic to an address of the attacker's choice.
Vulnerable systems |
Microsoft Windows 2000, Microsoft Windows Server 2003, Microsoft Windows Server 2008 |
Vulnerable component |
DNS server |
Maximum impact |
«man-in-the-middle» attack |
Available exploit |
no |
CVE identifier |
|
Exploit vector |
Local network |
SecurityLab security level |
Medium |
A man-in-the-middle attack vulnerability exists in WINS servers. This vulnerability could allow a remote authenticated attacker to spoof a web proxy and thereby redirect Internet traffic to an address of the attacker's choice.
Potentially dangerous records could be registered on WINS server.
Vulnerable systems |
Microsoft Windows 2000, Microsoft Windows Server 2003 |
Vulnerable component |
WINS server |
Maximum impact |
«man-in-the-middle» attack |
Available exploit |
no |
CVE identifier |
|
Exploit vector |
Local network |
SecurityLab security level |
Medium |
Positive Technologies issued an utility to detect potentially dangerous entries in DNS and WINS services database. The utility also allows to scan available local network to detect hosts with this NetBIOS names.
System administrators and security administrators could control entries in name servers and hosts with dangerous NetBIOS names if they use the utility.
Checks for potentially dangerous entries on WINS server (WPAD; WPAD.; ISATAP). If such entries are detected then check network devices with the names or install the update MS09-008.
Checks for possibility to register potentially dangerous entries on WINS server and further name resolving (WPAD; WPAD.; ISATAP).
If the vulnerability is detected then register static entries for potentially dangerous names or install the update MS09-008.
Analyzing DNS zone name is required for the checks.
Checks for potentially dangerous entries in the DNS zone (wpad, isatap).
Checks for possibility to register potentially dangerous entries in the DNS zone (wpad, isatap). Similar to WINS, a possibility of name resolving after registration is checked
If the vulnerability is detected then register static entries for potentially dangerous names or install the update MS09-008.
The utility gets IP addresses of adapters installed on the host and then sends broadcast NetBIOS request to get IP addresses of computers with potentially dangerous NetBIOS names. Potentially dangerous NetBIOS names are WPAD, WPAD. and ISATAP.
It potentially dangerous name is detected it is necessary to analyze this host owner and take appropriate measures.
Notes:
Новости: