Vulnerability Development: Re: Windows XP RC2

[Christopher McCrory <chrismcc () pricegrabber com>]

Hello...

Dino wrote:

> Well I am not sure if you would consider this a bug, incident, monitoring or
> a feature, but in Windows XP RC2 that we loaded this weekend
> I noticed that M$ has Network Time Client built to keep correct time.
>
> This is good so that we do not have to grab a 3rd party app and install it,
> but what is disturbing is take a guess as to what the "default" Time Server
> that gets used???
>
> time.windows.com  !!!
>
>
> Well for every install M$ can monitor/track who is running XP that has a Net
> connection.


Microsoft already does this with their windows update.  About the time 
the, "this is done without sending any information to microsoft" message 
is displayed.  The update server sends a DNS query for the reverse 
in-addr.arpa address.  I have a NAT setup.  Linux for the desktop that 
also acts as an internal DNS server.  I also have a machine for playing 
counter-strike that dual boots with MS windows98.  I recently ran 
windows update, and got this in my logs ( I had bind in querylog mode 
while I was testing some configs):
(wednesday is my machine name)

messages:Aug 19 11:00:00 wednesday named[590]: client 
207.46.106.84#8535: query: 101.138.8.24.in-addr.arpa IN PTR
messages:Aug 19 11:00:00 wednesday named[589]: client 
207.46.106.84#8535: query: 101.138.8.24.in-addr.arpa IN PTR
messages:Aug 19 11:00:00 wednesday named[590]: client 
207.46.106.84#8535: query: 101.138.8.24.in-addr.arpa IN PTR
messages:Aug 19 11:00:57 wednesday named[590]: client 
207.46.106.84#8699: query: 101.138.8.24.in-addr.arpa IN PTR
messages:Aug 19 11:00:57 wednesday named[589]: client 
207.46.106.84#8699: query: 101.138.8.24.in-addr.arpa IN PTR
messages:Aug 19 11:00:57 wednesday named[590]: client 
207.46.106.84#8699: query: 101.138.8.24.in-addr.arpa IN PTR


[chrismcc () wednesday log]$ host 207.46.106.84
84.106.46.207.in-addr.arpa. domain name pointer sjwu3dns1.windowsupdate.com.


I guess requesting information is not the same as sending it...


I just tried again:

messages:Aug 21 16:35:22 wednesday named[2987]: client 
207.46.106.84#8478: query: 101.138.8.24.in-addr.arpa IN PTR
messages:Aug 21 16:35:22 wednesday named[2986]: client 
207.46.106.84#8478: query: 101.138.8.24.in-addr.arpa IN PTR
messages:Aug 21 16:35:22 wednesday named[2987]: client 
207.46.106.84#8478: query: 101.138.8.24.in-addr.arpa IN PTR
PIX log:

Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:31: %PIX-6-302005: Built 
UDP connection for faddr 207.46.106.84/8478 gaddr 24.8.138.101/53 laddr 
MY.INTER.NAL.IP/53
Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:32: %PIX-6-302006: 
Teardown UDP connection for faddr 207.46.106.84/8478 gaddr 
24.8.138.101/53 laddr MY.INTER.NAL.IP/53
Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:32: %PIX-6-302005: Built 
UDP connection for faddr 207.46.106.84/8478 gaddr 24.8.138.101/53 laddr 
MY.INTER.NAL.IP/53
Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:32: %PIX-6-302006: 
Teardown UDP connection for faddr 207.46.106.84/8478 gaddr 
24.8.138.101/53 laddr MY.INTER.NAL.IP/53
Aug 21 16:35:22 192.168.9.254 Aug 21 2001 16:35:32: %PIX-6-302005: Built 
UDP connection for faddr 207.46.106.84/8478 gaddr 24.8.138.101/53 laddr 
MY.INTER.NAL.IP/53
Aug 21 16:35:27 192.168.9.254 Aug 21 2001 16:35:36: %PIX-6-302006: 
Teardown UDP connection for faddr 207.46.106.84/8478 gaddr 
24.8.138.101/53 laddr MY.INTER.NAL.IP/53








> Yes you can simply pick another like my favorite
> "time-a.timefreq.bldrdoc.gov" and all is well, but that average user wont
> know this and may not even care, but they should ;)
>
> If your real paranoid one can think well if the NTP is using
> time.windows.com what is stopping M$ from having some hidden app that can be
> communicated to once they grab the IP that queries their time server?!
>
> Thanks for listening
>
> Dino


--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc () pricegrabber com
http://www.pricegrabber.com

I don't make jokes in base 13. Anyone who does should get help. 
--Douglas Adams