[isalist] Re: FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup

• From: "Steve Moffat" <steve@xxxxxxxxxx>
• To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 24 Apr 2006 13:28:59 -0300

http://www.ISAserver.org
-------------------------------------------------------

:)....not just the SBS list then that's full of ...............

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, April 24, 2006 1:25 PM
To: ISA Mailing List
Subject: [isalist] FW: [Full-disclosure] Microsoft DNS resolver:
deliberately sabotagedhosts-file lookup

http://www.ISAserver.org
-------------------------------------------------------
  

I just couldn't wait for BT to post this.  Coming soon, the HOSTS
GUI!!!!
Jeeze....

t


------ Forwarded Message
From: "Thor   (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Mon, 24 Apr 2006 09:15:50 -0700
To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Conversation: [Full-disclosure] Microsoft DNS resolver: deliberately
sabotagedhosts-file lookup
Subject: Re: [Full-disclosure] Microsoft DNS resolver: deliberately
sabotagedhosts-file lookup


Response in-line: and the last one unless someone can post something
intelligent on the matter...


On 4/20/06 5:18 AM, "Geo." <geoincidents@xxxxxxx> spoketh to all:

>> MSN and MSDN.  It is to keep hosts file entries from taking users to 
>> phishing sites where they may enter credentials that could be stolen.
> 
> So you agree with me, that it's more for passport functionality than 
> to allow trojaned users to get to windows update.

Um, no, I don't agree with you in the least.  It's not "more for
passport functionality."  Passport does not need to by-pass host entries
to function.
We've already gone over what the behavior is for, but that doesn't seem
to matter to you.

>> It's not Microsoft's job to protect Symantec customers.
> 
> No it's not, it's Microsoft's job to protect windows users, millions 
> of who use NortonAV. But it would seem that MS is more interested in 
> protecting their user tracking information than the users.

Oh, I see now.  It's about tracking users now, is it?  So you're saying
that the exception list in dnsapi.dll is not only there for some
super-secret Passport "functionality" but now Microsoft is using it to
protect "their user tracking information?"  Brilliant.  I suppose that
the next argument will be that dnsapi.dll contains the secret as to
where that one sock goes after it's lost in the dryer, right?  Hey!
Maybe that's what winsock really is!! 
 
>> Because "hosts" is a simple text file that is designed to be edited 
>> and maintained by the administrator of the machine.
> 
> It would be trivial to create a hosts editing GUI interface that could

> manage a protected hosts file. Does anyone but me long for the days of

> the NT team where they wouldn't do something if they couldn't do it 
> right? I mean what's next, they going to modify firewall settings if 
> the user has locked out features that are required for windowsupdate
or passport to work?

Trivial, huh?  Get right on that, then.  If it's trivial, then write it
up and post it.  Of course, malware would only have to use the same hook
that the GUI does.  But you might have something here.  Let's see,
rather than a simple exception list, you'd rather have a "protected"
hosts file that requires a special GUI for administrators to use to
manage host entries and that would require additional API's for DNS to
access it as well as other 3rd party functions, huh?  Administrators
would have read/write, but users would only be able to read it, right?
Yep, all you have to do is whip up a nifty GUI that performs the proper
token permission checking as well as file-level permissions.  Utterly
ridiculous, and it still does nothing to prevent malware abuse.


>> This is really simple.  MyDoom altered the hosts file so people 
>> couldn't hit go.microsoft.com, so they added an exception list for
their sites.
> 
> The right way to fix it would have been to ask the user before 
> bypassing hosts since by your own statements hosts is a file for the 
> administrator to manage. Perhaps the admin put MS sites in hosts files

> to keep his users from updating components on their own?
> 
>>  The reason it wasn't documented was so that malware authors wouldn't

>> know  to bypass it, but now some do.  Oh well, worked for a while.
> 
> Oh please lets not justify sneaky stuff that affects a users security 
> settings by saying it had to be done sneaky so the hackers wouldn't 
> know, the hackers figure this stuff out in seconds. Just mark this as 
> a stupid idea and add a popup before it bypasses values in the hosts 
> file so the user is allowed to permit or deny it. Had they done that I

> would have defended their actions, it's when they mess with a users 
> security without asking that I find it inappropriate behavior for a
company like MS.

Let me get this straight:  After creating the magic GUI for hosts
management, Microsoft is to prompt the user with a pop-up that says
"Attention Stupid Administrator:  We are about to bypass the hosts file
entry for MSDN so that we can track your user information, ensure that
Passport functionality is maintained, as so that we can search for that
sock you lost in the dryer last week.  Are you sure that you don't want
us to not do that? Please click YES, NO, or MAYBE."

That would make it less stupid?

t

------ End of Forwarded Message


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
    • From: Thor (Hammer of God)

• References:
  • [isalist] FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
    • From: Thor (Hammer of God)

Other related posts:

• » [isalist] FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
• » [isalist] Re: FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
• » [isalist] FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
• » [isalist] Re: FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
• » [isalist] Re: FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
• » [isalist] Re: FW: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup

1. Home
2. isalist
3. Archive
4. 04-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---