Vigil@nce: Windows, DNS and WINS spoofing
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
Several vulnerabilities of DNS and WINS can be used by an attacker
to redirect victims.
Gravity: 2/4
Consequences: data reading
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 4
Creation date: 11/03/2009
IMPACTED PRODUCTS
– Microsoft Windows 2000
– Microsoft Windows 2003
– Microsoft Windows 2008
DESCRIPTION OF THE VULNERABILITY
The DNS and WINS services resolve names. The WPAD (Web Proxy
Auto-Discovery) name indicates the proxy. The ISATAP (Intra-Site
Automatic Tunnel Addressing Protocol) name indicates an IPv6/IPv4
tunnel. Several vulnerabilities impact these technologies.
When the DNS server is configured for dynamic updates, an attacker
can send queries and their answers to the DNS server in order to
poison its cache. [grav:2/4; BID-33982, CVE-2009-0233]
An attacker can predict identifiers of DNS queries in order to
poison the cache of the server. [grav:2/4; BID-33988,
CVE-2009-0234, VU#319331]
When the DNS server does not have ISATAP/WPAD entries, an attacker
can force the creation of these entries in the cache, in order to
redirect all users to his tunnel/proxy (VIGILANCE-VUL-6686
(https://vigilance.fr/tree/1/6686)). [grav:2/4; BID-26686,
BID-33989, CVE-2007-5355, CVE-2009-0093]
When the WINS server does not have ISATAP/WPAD entries, an
attacker can force the creation of these entries in the cache, in
order to redirect all users to his tunnel/proxy. [grav:2/4;
BID-34013, CVE-2009-0094]
These vulnerabilities can be used by an attacker to redirect
victims.
CHARACTERISTICS
Identifiers: BID-26686, BID-33982, BID-33988, BID-33989,
BID-34013, CVE-2007-5355, CVE-2009-0093, CVE-2009-0094,
CVE-2009-0233, CVE-2009-0234, MS09-008, VIGILANCE-VUL-8527,
VU#319331
http://vigilance.fr/vulnerability/Windows-DNS-and-WINS-spoofing-8527