Monday, August 14, 2006

No network is safe

Mike Rothman wrote a very good article about the results of what he saw in Black Hat. I really appreciate the tips that he is giving in this article, like putting focus on containment and monitoring/detection. This is exactly the way that I think internal network security should be made.

Tuesday, August 8, 2006

Again on MS06-041

This is one of those vulnerabilities than can really bring big problems (like very aggressive worms and viruses) .

The vulnerability is in the Windows DNS client. It seems that it can be exploited by specially crafted Resource Records (RR) in responses from a malicious server. They are not RRs usually present in common users activities queries, but I'm curious about how an attacker can force them to do the "vulnerable query".

I went to check some DNS responses details and I noticed that the server can send "Additional RRs" in the response. My remaining questions are:

1 - Can the exploitable RRs be sent inside the "additional" part of a response to a common A/CNAME query?
2 - Can the vulnerability be exploited when the crafted RRs are inside the "additional" field?
3 - When using recursive queries, additional responses sent by a server are forwarded to the initial source of the query?

Depending on the answers for these questions, the severity level of the vulnerability changes. In the worst case any DNS server and a HTML e-mail can be enough to exploit it.

Another problem can be Windows servers that resolve names (or IPs into names) when logging requests (like webservers and proxys). The malicious guy access the server, that tries to resolve his IP to a name to put it in the log. The answer comes with additional fields carrying the exploit. Bingo! Owned. Wow. While in doubt, folks, patch ASAP.

Creepy MS06-041

I still haven't found detailed information about MS06-041, but it seems to be related to the Windows DNS client.

DNS client vulnerabilities are freaking scary. Depending on what the problem is about one can exploit thousands of workstation with a single DNS server and a mass mailed HTML e-mail. Patch as soon as the update is available.

Wednesday, August 2, 2006

Reviewing concepts

Schneier posted a comment today in his blog about an idea from Dave Piscitello mentioned in the Firewall Wizards mail-list. Dave says that besides the already known concepts Authentication, Authorization, Availability and Authenticity, there is also need for "admissibility". This concept is related to the trustiness of the other endpoint of the connection (like if it's free from keyloggers). Initially I thought it might be just a different way to understand different aspects of the other concepts, but now I think it really makes sense. I like these out of the box discussions about basic concepts, I believe that big evolutions born from them.

With the 5 properties vision it's clear that two-factor authentication is not enough (it does not deal with admissibility) to solve the problem of Internet Banking sessions security. Good example of applicability.