Hello,

Two possible issues here, Microsoft DNS client related. I

don't know if they are seriously exploitable, or just

information leakage:

1 -

I suppose this one is related to Microsoft Knowledge base

article 272020 (Unnecessary DNS Query for

_ldap._tcp.dc._msdcs.<WorkgroupName>) (http:/

/support.microsoft.com/default.aspx?scid=kb;EN-US;272020).

Although not mentioned on the KB, if your WorkgroupName

happens to be similar to an existing Internet domain,

you'll be querying a DNS server outside your network.

For example, I take care of rf.com.br domain. It seems

someone (oustide my domain) has set his Win workgroup name

as RF. We are in Brazil, so it looks like Windows 'decided'

the machine is part of rf.com.br domain (more on this on

the second issue).

Because of this, the guy's ISP DNS servers forwards the

unnecessary queries to my DNS:

200.204.0.138 -> 200.232.120.2 DNS Standard query SOA

_ldap._tcp.Primeiro-site-padrao._sites.gc._msdcs.www.rf.com.br

200.232.120.2 -> 200.204.0.138 DNS Standard query response,

No such name

200.204.0.10 -> 200.232.120.3 DNS Standard query SOA

_ldap._tcp.Primeiro-site-padrao._sites.gc._msdcs.www.rf.com.br

200.232.120.3 -> 200.204.0.10 DNS Standard query response,

No such name

That goes on for the following names too (hundreds of times

a day):

_kerberos._tcp.Primeiro-site-padrao._sites.dc._msdcs.www.rf.com.br

_gc._tcp.Primeiro-site-padrao._sites.www.rf.com.br

Note that "Primeiro_site_padrao" means

"First_template_site" or something like that. The

aforementioned KBA does not mention anything but "_l

dap._tcp.dc._msdcs.WorkgroupName" being queried out - maybe

it's not the same bug.

I wonder if this is just information leakage, or

exploitable in any way (by crafting the DNS reply).

2 -

Probably the same guy has his Dynamic DNS update enabled,

so his machine (up 24/7) also keeps asking to dynamically

update my DNS (I ended up firewalling his IP out; opened it

just to grab this). Although my DNS refuses the update,

Windows seems to insist, down to trying to negotiate TKEYs:

200.168.31.51 -> 200.232.120.2 DNS Dynamic update SOA rf.com.br

200.232.120.2 -> 200.168.31.51 DNS Dynamic update response,

RRset does not exist

200.168.31.51 -> 200.232.120.2 DNS Standard query SOA

rf-ubpumac1u03q.www.rf.com.br

200.232.120.2 -> 200.168.31.51 DNS Standard query response,

No such name

200.168.31.51 -> 200.232.120.2 DNS Standard query A

yankee.rf.com.br

200.232.120.2 -> 200.168.31.51 DNS Standard query response

A 200.232.120.2

200.168.31.51 -> 200.232.120.2 DNS Dynamic update SOA rf.com.br

200.232.120.2 -> 200.168.31.51 DNS Dynamic update response,

Refused

200.168.31.51 -> 200.232.120.2 DNS Standard query TKEY

996432412690-2

200.232.120.2 -> 200.168.31.51 DNS Standard query response,

Refused

200.168.31.51 -> 200.232.120.2 DNS Standard query TKEY

996432412690-2

200.232.120.2 -> 200.168.31.51 DNS Standard query response,

Refused

200.168.31.51 -> 200.232.120.2 DNS Dynamic update SOA rf.com.br

200.232.120.2 -> 200.168.31.51 DNS Dynamic update response,

Refused

200.168.31.51 -> 200.232.120.2 DNS Standard query TKEY

1047972020242-3

200.232.120.2 -> 200.168.31.51 DNS Standard query response,

Refused

Note that his Netbios name is rf-ubpumac1u03q (used to be

RF only - looks like he fresh-reinstalled and is using the

default installation name).

Again, not sure if this can be exploited (I'm no hacker),

but it sure is information leakage.

Regards,

Joao S Veiga

------------------------------------------------------------------------
---
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
------------------------------------------------------------------------
---

[ reply ]