Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 24 Apr 2006 09:15:50 -0700

Response in-line: and the last one unless someone can post something
intelligent on the matter...

On 4/20/06 5:18 AM, "Geo." <geoincidents () nls net> spoketh to all:

MSN and MSDN.  It is to keep hosts file entries from taking users to
phishing sites where they may enter credentials that could be stolen.

So you agree with me, that it's more for passport functionality than to
allow trojaned users to get to windows update.

Um, no, I don't agree with you in the least.  It's not "more for passport
functionality."  Passport does not need to by-pass host entries to function.
We've already gone over what the behavior is for, but that doesn't seem to
matter to you.

It's not Microsoft's job to protect Symantec customers.

No it's not, it's Microsoft's job to protect windows users, millions of who
use NortonAV. But it would seem that MS is more interested in protecting
their user tracking information than the users.

Oh, I see now.  It's about tracking users now, is it?  So you're saying that
the exception list in dnsapi.dll is not only there for some super-secret
Passport "functionality" but now Microsoft is using it to protect "their
user tracking information?"  Brilliant.  I suppose that the next argument
will be that dnsapi.dll contains the secret as to where that one sock goes
after it's lost in the dryer, right?  Hey!  Maybe that's what winsock really
Because "hosts" is a simple text file that is designed to be edited and
maintained by the administrator of the machine.

It would be trivial to create a hosts editing GUI interface that could
manage a protected hosts file. Does anyone but me long for the days of the
NT team where they wouldn't do something if they couldn't do it right? I
mean what's next, they going to modify firewall settings if the user has
locked out features that are required for windowsupdate or passport to work?

Trivial, huh?  Get right on that, then.  If it's trivial, then write it up
and post it.  Of course, malware would only have to use the same hook that
the GUI does.  But you might have something here.  Let's see, rather than a
simple exception list, you'd rather have a "protected" hosts file that
requires a special GUI for administrators to use to manage host entries and
that would require additional API's for DNS to access it as well as other
3rd party functions, huh?  Administrators would have read/write, but users
would only be able to read it, right?  Yep, all you have to do is whip up a
nifty GUI that performs the proper token permission checking as well as
file-level permissions.  Utterly ridiculous, and it still does nothing to
prevent malware abuse.

This is really simple.  MyDoom altered the hosts file so people couldn't
hit go.microsoft.com, so they added an exception list for their sites.

The right way to fix it would have been to ask the user before bypassing
hosts since by your own statements hosts is a file for the administrator to
manage. Perhaps the admin put MS sites in hosts files to keep his users from
updating components on their own?

 The reason it wasn't documented was so that malware authors wouldn't know
 to bypass it, but now some do.  Oh well, worked for a while.

Oh please lets not justify sneaky stuff that affects a users security
settings by saying it had to be done sneaky so the hackers wouldn't know,
the hackers figure this stuff out in seconds. Just mark this as a stupid
idea and add a popup before it bypasses values in the hosts file so the user
is allowed to permit or deny it. Had they done that I would have defended
their actions, it's when they mess with a users security without asking that
I find it inappropriate behavior for a company like MS.

Let me get this straight:  After creating the magic GUI for hosts
management, Microsoft is to prompt the user with a pop-up that says
"Attention Stupid Administrator:  We are about to bypass the hosts file
entry for MSDN so that we can track your user information, ensure that
Passport functionality is maintained, as so that we can search for that sock
you lost in the dryer last week.  Are you sure that you don't want us to not
do that? Please click YES, NO, or MAYBE."

That would make it less stupid?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]