Recent Microsoft patch useless if previously exploited (Update 2)

by Steve Ragan - Mar 14 2009, 18:18

Tyler Reguly, a researcher on nCircle’s VERT team, recently made a post to the company blog that reported a unique discovery. The patch issued by Microsoft on Tuesday to address Man-In-The-Middles attacks on Windows DNS and WINS (MS09-008) is flawed. The flaw is that if a system was exploited before the patch was applied, it remained exploited. The fix didn’t work.

Internet Explorer will check WPAD for proxy settings if set to Auto Discover. An attacker would create a WPAD entry using their own servers, thus directing traffic to the locations of their choosing. The assumed logic for the patch is that if a server had malicious WPAD entries, the patch would prevent malicious MITM attacks using rogue WPAD responses when Internet Explorer downloaded proxy settings.

“It turns out that this isn't the case. Instead, the patch checks to see which entries have been created in the DNS server and *only adds block list entries for values not already being served*,” Reguly wrote in his post. “In other words, if your DNS server contains an entry for WPAD and you apply MS09-008, the block list will not have WPAD added to it. Subsequent queries for WPAD will continue to be answered and if the WPAD entry is from a previous attack, your users will continue to be Man-in-the-Middled -- even after you are patched.”

Most businesses will assume they are patched and protected once MS09-008 was applied.

The issue affects DNS and not WINS and, according to comments left by Reguly, Server 2008 as well as 2000 and 2003 are also affected.

To verify that you are indeed effectively patched, Reguly says to check:

(Forward slashes added for CMS usage. Replace with standard backslash)

HKEY_LOCAL_MACHINESYSTEM/CurrentControlSet/Services/DNS/Parameters/GlobalQueryBlockList

Make sure the entry contains both 'wpad' and 'isatap'

The Tech Herald has e-mailed nCircle for follow-up, seeking information on new developments, if Microsoft has confirmed the issue after nCircle reported it, and if this is a mistake (as it appears to be) or a by-design element to the patch.

The odds are this is a mistake on Microsoft’s part.

Update:

nCircle sent us the following:

Tyler, Senior Security Engineer for nCircle (www.nCircle.com), found the flaw on Tuesday evening and it has since been verified by Microsoft, although Microsoft explains that the Patch functions as expected.

Unfortunately for many enterprise security teams, the way it functions is it does not protect hosts that have already been exploited and any host with a WPAD entry, even valid entries, can be attacked if dynamic updates are enabled.

According to Tyler:

"This is not unlike the days of manually removing a virus after infection because AV vendors didn't release updates as quickly as they do today. The same is true with this vulnerability, you need to go system to system and manually remove the DNS entry if you've been exploited. The scary part is that the damages that can be done with this are just as bad as any virus.

"It is important to note that this requires dynamic DNS updates be allowed for an attacker to take advantage of it. Given Microsoft's approach to fixing this issue, a valid WPAD entry can be overwritten by an attacker and that is truly frightening.

"If an attacker is able to take control of the WPAD entry in DNS and all of the hosts on a network are configured to make use of WPAD, the attack will be able to successfully 'Man-in-the-Middle' every host resulting in a complete loss of the confidentiality and integrity for all web-based traffic.

"The impact of a successful 'Man-in-the-Middle' attack can result in stolen passwords in addition to monitoring and redirecting web traffic to sites containing malicious code.

"In a worst case scenario, if an attacker was able to control the WPAD entry and all hosts accessed the WPAD supplied proxy, the attacker could redirect all users to a page containing browser or image based exploits."

Update 2:

Microsoft has responded to the issue with an updated ARD posting.

The posting says, “One concern that was raised by a security researcher is that an attacker may have introduced a malicious WPAD entry through a dynamic DNS update. When you install the security update after such an attack has taken place, the WPAD name will not be added to the block list, and the attack will continue to be effective.”

Adding, “This is indeed not a scenario the security update, or any security update released by Microsoft aims to address. Security updates are intended to help protect the system against future exploitation, and don’t aim to undo any attack that has taken place in the past. The update does not actively change the current configuration. When installing the update, it has no way of knowing whether the WPAD entry was configured by an administrator or an attacker.”

Technical details and Microsoft’s full explanation is here.

Want regular updates from The Tech Herald? Follow us on Twitter. 

Around the Web