Parsing MS09-008: DNS and WINS server security patches

Peter Pan

After the security patch MS09-008 was released, many people said the WPAD (CVE-2009-0093) in the update was not effective, but it was actually a very important update and users had to fix it as soon as possible. This article explains how to protect the system with complete security updates.

This security update solves many different vulnerabilities to defend against different attack media:

1. DNS Server Query Validation Vulnerability (CVE-2009-0233)

2. DNS server Validation Vulnerability (CVE-2009-0234)

3. DNS Server vulnerability in WPAD Registration (CVE-2009-0093)

4. wpad wins Server Registration Vulnerability (CVE-2009-0094)

We will discuss these vulnerabilities in depth, starting with verification, and then discussing WPAD Registration.

DNS Server query and verification Vulnerabilities

CVE-2009-0233 and CVE-2009-0234 are two serious vulnerabilities that attackers can exploit to spoof DNS responses by publishing specially crafted DNS queries.

The DNS transaction ID identifies a single DNS transaction. The DNS server uses this ID to determine whether the query response is legal. When the transaction ID is foreseeable, attackers can fool the effective response to DNS queries sent by the server, so that they can introduce arbitrary addresses to the DNS cache.

In these two vulnerabilities, the server does not cache a specific type of DNS response, so that attackers can enable the DNS server to constantly request specific Resource records (RR, Resource Record ), in this way, attackers can find the correct transaction ID and Source Port Combination and successfully cheat the response. This security update can solve this problem by improving the DNS Cache and reuse capabilities for these specific types of queries.

DNS Server vulnerability in WPAD Registration

The CVE-2009-0093 discovered the problem of how attackers could abuse Web Proxy Auto-Discovery (WPAD) and Intra-Site Automatic IC Tunnel Addressing Protocol (ISATAP ).

This usually involves local domain attacks, and there is a certain degree of trust between domain members. Windows DNS allows the client to dynamically update the host name registered on the DNS server. In the most common cases, this usually requires security dynamic updates. When a client performs domain authentication, it can update its name on the DNS server. If the WPAD or ISATAP name is not yet registered, the user after domain verification can register his or her machine as either of the two names.

Why ISATAP and WPAD are the names that attackers choose to register? This is because these two default names are generally considered to be used by the client to solve the problem of obtaining specific functions. WPAD can tell the host how to configure information for the proxy server to connect, the ISATAP points to the tunnel server connected to the Ipv6 host and IPV4 network.

WPAD is usually used as a public enterprise-level function. Because of this, Microsoft is also very careful when releasing this update, because it is necessary to protect the customer and not damage the function on which the customer depends.

This security update can protect customers by blocking the list on the DNS server. This blocking list contains a list of feature names that the DNS server no longer resolves. This list is deployed according to the following registry items:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParametersQueryBlockList

If the WPAD and ISATAP names are not registered when the security update is installed, the blocked list adds these two names. When the client sends a query for these names, the DNS server will return a negative response even if the attacker has already registered the two names.

However, if the DNS server already has the WPAD or ISATAP table item before the security update, the two names will not be included in the blocking list and will continue to respond. For example, if the DNS server has a resource record configuration named WPAD, the security update only adds ISATAP to the blocking list. If the DNS server is not configured with WPAD or ISATAP, the blocked list will contain the two names.

This is necessary because many windows users use this function legally. The deployment blocking list can block these names in all circumstances. Manual deletion by the Administrator will destroy these configurations.

A security researcher raised such concerns that attackers may have introduced malicious WPAD table items through dynamic DNS updates. When such attacks occur, they will install this security update again, the WPAD name will not be included in the blocking list, and the attack will continue to be valid.

This is not a problem Microsoft has released these security updates or any security updates designed to solve. Security Updates are designed to protect the system from future attacks, rather than blocking ongoing or existing attacks, these salaries cannot actively change the current configuration. When security updates are updated, there is no way to know whether the WPAD table item has been configured by the administrator or an attacker.

Users who are worried about this problem can verify the IP addresses assigned to existing WPAD or ISATAP entries in the DNS region by using the dns mmc Management Unit:

1. Open the dns mmc Management Unit from the management tool group;

2. Expand "Forward search region ";

3. for each region, find records with WPAD or ISATAP in Host (A), IPv6 address (AAAA), or Alias (CNAME) records.

In addition, KB article 968732 describes in detail how the DNS administrator manually edits the DNS blocking list in his environment.

Wpad wins Server Registration Vulnerability

The CVE-2009-0094 covers the same vulnerability as the DNS server vulnerability in WPAD Registration, but with WINS, the WPAD configuration client can query the host by finding the WPAD name in WINS (instead of DNS. This security update will deploy the WINS blocking list. WPAD, "WPAD", and "ISATAP" names are pre-added, unless these names are already in the existing WINS database, the WINS block list is deployed using the following registry keys:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWINSParametersQueryBlockList

You can use the wins mmc Management Unit to verify whether the WPAD name has been registered in the WINS database:

1. Open wins mmc from the Administrator tool Group

2. Right-click "Active Registrations" and select "Display records"

3. On the "Record Mapping" tab, select "Filter records matching this name pattern" and enter "wpad"

Any WPAD name registration will be displayed in the "Active Registrations" window, as shown below:

　　

KB article 968731 describes in detail how the WINS administrator edits the WINS blocking list. Note that the WINS blocking list is completely independent from the DNS list, the two blocked lists are not copied on multiple servers.

I hope this article solves the Security Update issues you want to know. This security update solves many vulnerabilities. IT Expert Network recommends that you fix the patch on your computer as soon as possible.