The vulnerability MS09-008 affects the DNS server, more specifically WPAD (Web Proxy Autodiscovery Protocol) registration. This is a service that allows automatic configuration of proxy settings of the computers wihin a network without user intervention.
This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.
As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLMSYSTEMCurrentControlSetServicesDNSParameters, as you can see in the following screenshot:
Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.
Usually, if you are vulnerable to an attack and you patch the system you feel safe. For instance, all of you know about Conficker, which infects the system using the vulnerability MS08-067. Even if you have been previously infected, you can apply the patch and you won’t be infected anymore through this vulnerability.
However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.
To sum up: in case a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.
To solve this, it is only needed to add in the registry to the value GlobalQueryBlockList the data wpad and restart the DNS service.
Microsoft guys have blogged about this, you can find more information here.
Kudos to David Sanchez for the research.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
