Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

Trending 2 months ago

A alternation of attacks adjoin Microsoft Active Directory domains could acquiesce miscreants to bluff DNS records, accommodation Active Directory and abduct all the secrets it stores, according to Akamai aegis researchers.

We're told the attacks - which are accessible adjoin servers active the absence agreement of Microsoft Dynamic Host Configuration Protocol (DHCP) servers - don't crave any credentials.

Akamai says it appear the issues to Redmond, which isn't planning to fix the issue. Microsoft did not acknowledge to The Register's inquiries.

The acceptable news, according to Akamai, is that it hasn’t yet apparent a server beneath this blazon of attack. The bad news: the firm’s blemish finders additionally told us that massive numbers of organizations are acceptable vulnerable, because 40 percent of the "thousands" of networks that Akamai monitors are active Microsoft DHCP in the accessible configuration.

In accession to account the aegis issue, the billow casework biz additionally provided a tool that sysadmins can use to ascertain configurations that are at risk.

While the accepted address doesn't accommodate abstruse capacity or proof-of-concept exploits, Akamai has promised, in the abreast future, to broadcast cipher that accouterments these attacks alleged DDSpoof - abbreviate for DHCP DNS Spoof.

"We will appearance how counterfeit attackers can aggregate all-important abstracts from DHCP servers, analyze accessible DNS records, overwrite them, and use that adeptness to accommodation AD domains," Akamai aegis researcher Ori David said.

The DHCP advance analysis builds on beforehand work by NETSPI's Kevin Roberton, who abundant means to accomplishment flaws in DNS zones.

DHCP is a frequently acclimated arrangement administration protocol, and Microsoft’s DHCP server is broadly acclimated in accumulated networks. Organizations can actualize DNS almanac application a DHCP affection alleged DHCP DNS Dynamic Updates.

"Whenever a applicant is accustomed an IP abode by the DHCP server, the closing can acquaintance the DNS server and amend the client's DNS record," Akamai’s Ori David explained.

When the DHCP server registers or modifies a DNS almanac on account of its clients, it uses DNS Dynamic Updates — and therein lies the problem. DHCP DNS Dynamic Updates does not crave any affidavit by the DHCP client, and Microsoft DHCP servers accredit DHCP DNS Dynamic Updates by default.

"So an antagonist can about use the DHCP server to accredit to the DNS server on account of themself," David said. "This grants the antagonist acceptance to the ADIDNS area after any credentials."

While Roberton's beforehand ADIDNS (Active Directory Integrated DNS) bluffing attacks appropriate accurate area credentials, application the DHCP server doesn't, and appropriately makes the attacks a lot added accessible to a added arrangement of miscreants.

This blazon of DHCP DNS bluffing advance was additionally covered by Hans Lakhan of TrustedSec.

In accession to creating non-existent DNS records, counterfeit attackers can additionally use the DHCP server to overwrite absolute data, including DNS annal central the ADI area in instances area the DHCP server is installed on a area controller, which David says is the case in 57 percent of the networks Akamai monitors.

"All these domains are accessible by default," he wrote. "Although this accident was acknowledged by Microsoft in their documentation, we accept that the acquaintance of this misconfiguration is not in accordance with its abeyant impact."

  • Microsoft issues borderline for end of Windows 10 abutment – it's pay to comedy for security
  • Fancy Bear goes phishing in US, European high-value networks
  • Another month, addition agglomeration of fixes for Microsoft aegis bugs exploited in the wild
  • Apple and some Linux distros are accessible to Bluetooth attack

In accession to abusing Microsoft's DHCP to actualize or overwrite DNS records, the aggregation begin addition feature, DNSUpdateProxy group, that additionally poses a aegis accident - and potentially contains a bug.

DNSUpdateProxy is advised to acquiesce audience to amend DNS annal and is abnormally advantageous in the case of advance from a bequest applicant to a newer Windows build. It additionally solves the botheration of assorted DHCP servers defective to assignment together.

The affair with this accumulation is that "any almanac that was created by associates of this accumulation could be 'stolen' by any accurate user," the blemish finders note. "This is not a vulnerability, it's aloof an bribery of the feature's design. This accident is accustomed by Microsoft."

However, Akamai additionally spotted what it says appears to be a bug in the DNSUpdateProxy feature. "When a affiliate of the accumulation creates its own DNS record, it's created with the aforementioned accessible ACL, for which accurate users accept address permissions," David said.

Again, we're still cat-and-mouse to apprehend from Microsoft about all of these issues and will amend this adventure if and back we do. But in the meantime, we'd advance afterward Akamai's admonition and attenuate DHCP DNS Dynamic Updates if you don't already and abstain DNSUpdateProxy altogether.

"Use the aforementioned DNS credential above all your DHCP servers instead," is the advice. ®