Possible information leakage from DNS quirks

From: Joao Veiga (focus-ms_at_rf.com.br)
Date: 09/08/03

  • Next message: Matthew Wagenknecht: "Disabling sharing and group policies" 
    Date: 8 Sep 2003 16:24:00 -0000
To: focus-ms@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Hello,

    Two possible issues here, Microsoft DNS client related. I
    don't know if they are seriously exploitable, or just
    information leakage:

    1 -
    I suppose this one is related to Microsoft Knowledge base
    article 272020 (Unnecessary DNS Query for
    _ldap._tcp.dc._msdcs.<WorkgroupName>) (http:/
    /support.microsoft.com/default.aspx?scid=kb;EN-US;272020).

    Although not mentioned on the KB, if your WorkgroupName
    happens to be similar to an existing Internet domain,
    you'll be querying a DNS server outside your network.

    For example, I take care of rf.com.br domain. It seems
    someone (oustide my domain) has set his Win workgroup name
    as RF. We are in Brazil, so it looks like Windows 'decided'
    the machine is part of rf.com.br domain (more on this on
    the second issue).

    Because of this, the guy's ISP DNS servers forwards the
    unnecessary queries to my DNS:
    200.204.0.138 -> 200.232.120.2 DNS Standard query SOA
    _ldap._tcp.Primeiro-site-padrao._sites.gc._msdcs.www.rf.com.br
    200.232.120.2 -> 200.204.0.138 DNS Standard query response,
    No such name
    200.204.0.10 -> 200.232.120.3 DNS Standard query SOA
    _ldap._tcp.Primeiro-site-padrao._sites.gc._msdcs.www.rf.com.br
    200.232.120.3 -> 200.204.0.10 DNS Standard query response,
    No such name

    That goes on for the following names too (hundreds of times
    a day):
    _kerberos._tcp.Primeiro-site-padrao._sites.dc._msdcs.www.rf.com.br
    _gc._tcp.Primeiro-site-padrao._sites.www.rf.com.br

    Note that "Primeiro_site_padrao" means
    "First_template_site" or something like that. The
    aforementioned KBA does not mention anything but "_l
    dap._tcp.dc._msdcs.WorkgroupName" being queried out - maybe
    it's not the same bug.

    I wonder if this is just information leakage, or
    exploitable in any way (by crafting the DNS reply).

    2 -
    Probably the same guy has his Dynamic DNS update enabled,
    so his machine (up 24/7) also keeps asking to dynamically
    update my DNS (I ended up firewalling his IP out; opened it
    just to grab this). Although my DNS refuses the update,
    Windows seems to insist, down to trying to negotiate TKEYs:
    200.168.31.51 -> 200.232.120.2 DNS Dynamic update SOA rf.com.br
    200.232.120.2 -> 200.168.31.51 DNS Dynamic update response,
    RRset does not exist
    200.168.31.51 -> 200.232.120.2 DNS Standard query SOA
    rf-ubpumac1u03q.www.rf.com.br
    200.232.120.2 -> 200.168.31.51 DNS Standard query response,
    No such name
    200.168.31.51 -> 200.232.120.2 DNS Standard query A
    yankee.rf.com.br
    200.232.120.2 -> 200.168.31.51 DNS Standard query response
    A 200.232.120.2
    200.168.31.51 -> 200.232.120.2 DNS Dynamic update SOA rf.com.br
    200.232.120.2 -> 200.168.31.51 DNS Dynamic update response,
    Refused
    200.168.31.51 -> 200.232.120.2 DNS Standard query TKEY
    996432412690-2
    200.232.120.2 -> 200.168.31.51 DNS Standard query response,
    Refused
    200.168.31.51 -> 200.232.120.2 DNS Standard query TKEY
    996432412690-2
    200.232.120.2 -> 200.168.31.51 DNS Standard query response,
    Refused
    200.168.31.51 -> 200.232.120.2 DNS Dynamic update SOA rf.com.br
    200.232.120.2 -> 200.168.31.51 DNS Dynamic update response,
    Refused
    200.168.31.51 -> 200.232.120.2 DNS Standard query TKEY
    1047972020242-3
    200.232.120.2 -> 200.168.31.51 DNS Standard query response,
    Refused

    Note that his Netbios name is rf-ubpumac1u03q (used to be
    RF only - looks like he fresh-reinstalled and is using the
    default installation name).
    Again, not sure if this can be exploited (I'm no hacker),
    but it sure is information leakage.

    Regards,
    Joao S Veiga

    ---------------------------------------------------------------------------
    KaVaDo provides the first and only integrated Web application scanner and
    firewall security suite that prevent Web applications attacks, the most
    common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
    http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    ---------------------------------------------------------------------------

  • Next message: Matthew Wagenknecht: "Disabling sharing and group policies"

    Relevant Pages

    • Possible information leakage from DNS quirks
      ... Two possible issues here, Microsoft DNS client related. ... -> 200.232.120.2 DNS Standard query SOA ... -> 200.168.31.51 DNS Dynamic update response, ...
      (microsoft.public.security)
    • Re: Recursion?
      ... I use Server 2003's DNS to service about 8 computers on a home ... my DNS first asks my ISPs name servers to resolve ... DNS Standard query response PTR gbr1-p20.wswdc.ip.att.net ...
      (microsoft.public.windows.server.dns)
    • Re: How to disable ipv6 in Lenny to avoid 1.0.0.0 error in name resolution for AAAA type queries
      ... I observed it with wireshark and the DNS queries and responses are like this:- ... DNS Standard query response ... You have done all the right things to turn of ipv6 from the system ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)