Full Disclosure mailing list archives

RE: Mystery DNS Changes

From: "Kurt" <kurtbuff () spro net>
Date: Thu, 2 Oct 2003 10:35:36 -0700

That's not exactly the way it works for Windows boxes.

Anything that's statically entered will not be overridden by the DHCP
assignment. Thus, when they are touched by this web page, most likely
that's what's happening - they are getting a static assignment of DNS
servers from the trojan. That remains, even across reboots.

| -----Original Message-----
| From: full-disclosure-admin () lists netsys com
| [mailto:full-disclosure-admin () lists netsys com]On Behalf Of *Hobbit*
| Sent: Wednesday, October 01, 2003 13:11
| To: full-disclosure () lists netsys com
| Subject: Re: [Full-disclosure] Mystery DNS Changes
|
|
|    ... DHCP enabled workstations have had
|    their DNS reconfigured to point to two of the three addresses
|
| User-driven trojan or not, machines running DHCP can pretty much
| be told by a DHCP server that their leases are up and it's time to
| renumber, and then that their new DNS servers are X Y and maybe Z.
| This is part of the protocol, astoundingly enough, but spells
| "attack vector" any way *I* look at it.
|
| This would probably work on most cable-modem infrastructures, at
| least where the provider hasn't done anything about the fact that
| any customer [i.e. customer's box, forget the human] can become
| a rogue DHCP server.  Within a soft chewy corporate net, a rogue
| server probably presents an even higher risk cuz *none* of the end
| user boxes would have the benefit of a somewhat protective device
| [cable modem with clueful config] in between it and the rogue.
|
| Expect it.  Script your bootup to nuke dhclient/dhcpcd/whatever
| after it's gotten an address, and sanity-check what you get back.
| DHCP clients, at least in the unix world, generally run OUTSIDE
| your filters, as ROOT.  Windows users, you're probably just hosed,
| because if you stop "DHCP client" you release your address.
|
| _H*
|
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Mystery DNS Changes, (continued)
- RE: Mystery DNS Changes Schmehl, Paul L (Oct 01)
- RE: Mystery DNS Changes David Vincent (Oct 01)
- RE: Mystery DNS Changes tom_gordon (Oct 01)
- RE: Mystery DNS Changes Harris, Michael C. (Oct 01)
  - Re: Mystery DNS Changes Paul Tinsley (Oct 01)
    - Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 02)
    - Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
    - Re: [Snort-sigs] Re: Mystery DNS Changes Paul Tinsley (Oct 03)
    - Re: [Snort-sigs] Re: Mystery DNS Changes Paul Schmehl (Oct 03)
- Re: Mystery DNS Changes *Hobbit* (Oct 01)
  - RE: Mystery DNS Changes Kurt (Oct 02)
- RE: Mystery DNS Changes Andre Ludwig (Oct 01)
- RE: Mystery DNS Changes Randal, Phil (Oct 02)
  - Re: Mystery DNS Changes Joe Stewart (Oct 02)
  - Re: Mystery DNS Changes Paul Tinsley (Oct 02)
- RE: Mystery DNS Changes Harris, Michael C. (Oct 02)
- RE: Mystery DNS Changes Schmehl, Paul L (Oct 02)
  - Re: Mystery DNS Changes KF (Oct 02)
- RE: Mystery DNS Changes Mike O'Connor (Oct 03)
  - RE: Mystery DNS Changes Paul Schmehl (Oct 03)
  - RE: Mystery DNS Changes Nick FitzGerald (Oct 03)

(Thread continues...)