lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20060414001320.GB11597@melpomene.jschipper.dynalias.net>
Date: Fri, 14 Apr 2006 02:13:21 +0200
From: Joachim Schipper <j.schipper@...h.uu.nl>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsoft DNS resolver: deliberately sabotaged
	hosts-file lookup


On Thu, Apr 13, 2006 at 06:29:15PM +0100, Dave Korn wrote:
> 
>   Hey, guess what I just found out:  Microsoft have deliberately sabotaged 
> their DNS client's hosts table lookup functionality.

> (...) I'd try to block (Windows Media Player) it in my hosts file.

>   Microsoft DNS client special-cases 'go.microsoft.com' and refuses to look 
> it up in the hosts file.

>   I'm running fully up-to-date Windows XP SP2.  I don't have any pfw 
> software that could conceivably be interfering, and the windows firewall is 
> running with more-or-less the default settings (I've only added a couple of 
> exceptions, no other changes).  I don't think this is a false positive.
> 
>   On reading through %WINDIR%\system32\dnsapi.dll with 'strings', I find the 
> following hostnames listed.  I assume they are all also singled out for 
> special treatment:-
> 
> www.msdn.com
> msdn.com
> www.msn.com
> msn.com
> go.microsoft.com
> msdn.microsoft.com
> office.microsoft.com
> microsoftupdate.microsoft.com
> wustats.microsoft.com
> support.microsoft.com
> www.microsoft.com
> microsoft.com
> update.microsoft.com
> download.microsoft.com
> microsoftupdate.com
> windowsupdate.com
> windowsupdate.microsoft.com
> 
> [  I've verified that the same behaviour occurs for office.microsoft.com, 
> exactly as for go.microsoft.com, but haven't tried any of the others yet. 
> I'd bet real money on it, though.  ]

What's your point? It's not like it's the first piece of software ever
to bypass the hosts file, is it? And if you're a software giant, that's
easy to do at a lower level.

Blacklisting IP addresses by /etc/hosts or equivalent is an extremely
broken way of blocking, anyway; and vague hacks like that need not be
supported. Use a real, non-host-based firewall.

Of course, you might wish to stop certain software from phoning home.
Fine, but use something that works - MS is evil in many ways, but not
because this particular hack happens not to work.

Switching to OSS quite nicely solves all these problems, though.

		Joachim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ