Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hos

from [Joachim Schipper] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
Date: Fri, 14 Apr 2006 02:13:21 +0200 
On Thu, Apr 13, 2006 at 06:29:15PM +0100, Dave Korn wrote:


  Hey, guess what I just found out:  Microsoft have deliberately sabotaged 
their DNS client's hosts table lookup functionality.



(...) I'd try to block (Windows Media Player) it in my hosts file.



  Microsoft DNS client special-cases 'go.microsoft.com' and refuses to look 
it up in the hosts file.



  I'm running fully up-to-date Windows XP SP2.  I don't have any pfw 
software that could conceivably be interfering, and the windows firewall is 
running with more-or-less the default settings (I've only added a couple of 
exceptions, no other changes).  I don't think this is a false positive.

  On reading through %WINDIR%\system32\dnsapi.dll with 'strings', I find the 
following hostnames listed.  I assume they are all also singled out for 
special treatment:-

www.msdn.com
msdn.com
www.msn.com
msn.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
microsoftupdate.microsoft.com
wustats.microsoft.com
support.microsoft.com
www.microsoft.com
microsoft.com
update.microsoft.com
download.microsoft.com
microsoftupdate.com
windowsupdate.com
windowsupdate.microsoft.com

[  I've verified that the same behaviour occurs for office.microsoft.com, 
exactly as for go.microsoft.com, but haven't tried any of the others yet. 
I'd bet real money on it, though.  ]


What's your point? It's not like it's the first piece of software ever
to bypass the hosts file, is it? And if you're a software giant, that's
easy to do at a lower level.

Blacklisting IP addresses by /etc/hosts or equivalent is an extremely
broken way of blocking, anyway; and vague hacks like that need not be
supported. Use a real, non-host-based firewall.

Of course, you might wish to stop certain software from phoning home.
Fine, but use something that works - MS is evil in many ways, but not
because this particular hack happens not to work.

Switching to OSS quite nicely solves all these problems, though.

                Joachim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  TalentSoft Web+Shop Path Disclosure, revnic
Next by Date:  Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup, J.A. Terranson
Previous by Thread:  Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup, dumdidumdideldey
Next by Thread:  RE: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup, Mario Contestabile
Indexes:  [Date] [Thread] [Top] [All Lists]