Freely subscribe to our NEWSLETTER

SYNTHESIS OF THE VULNERABILITY

Several vulnerabilities of DNS and WINS can be used by an attacker
to redirect victims.

Gravity: 2/4

Consequences: data reading

Provenance: internet client

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Number of vulnerabilities in this bulletin: 4

Creation date: 11/03/2009

IMPACTED PRODUCTS
– Microsoft Windows 2000
– Microsoft Windows 2003
– Microsoft Windows 2008

DESCRIPTION OF THE VULNERABILITY

The DNS and WINS services resolve names. The WPAD (Web Proxy
Auto-Discovery) name indicates the proxy. The ISATAP (Intra-Site
Automatic Tunnel Addressing Protocol) name indicates an IPv6/IPv4
tunnel. Several vulnerabilities impact these technologies.

When the DNS server is configured for dynamic updates, an attacker
can send queries and their answers to the DNS server in order to
poison its cache. [grav:2/4; BID-33982, CVE-2009-0233]

An attacker can predict identifiers of DNS queries in order to
poison the cache of the server. [grav:2/4; BID-33988,
CVE-2009-0234, VU#319331]

When the DNS server does not have ISATAP/WPAD entries, an attacker
can force the creation of these entries in the cache, in order to
redirect all users to his tunnel/proxy (VIGILANCE-VUL-6686
(https://vigilance.fr/tree/1/6686)). [grav:2/4; BID-26686,
BID-33989, CVE-2007-5355, CVE-2009-0093]

When the WINS server does not have ISATAP/WPAD entries, an
attacker can force the creation of these entries in the cache, in
order to redirect all users to his tunnel/proxy. [grav:2/4;
BID-34013, CVE-2009-0094]

These vulnerabilities can be used by an attacker to redirect
victims.

CHARACTERISTICS

Identifiers: BID-26686, BID-33982, BID-33988, BID-33989,
BID-34013, CVE-2007-5355, CVE-2009-0093, CVE-2009-0094,
CVE-2009-0233, CVE-2009-0234, MS09-008, VIGILANCE-VUL-8527,
VU#319331

http://vigilance.fr/vulnerability/Windows-DNS-and-WINS-spoofing-8527