exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft DHCP INFORM Configuration Overwrite

Microsoft DHCP INFORM Configuration Overwrite
Posted May 30, 2014
Authored by laurent gaffie

A vulnerability in Windows DHCP was found on Windows OS versions ranging from Windows 2000 through to Windows server 2003. This vulnerability allows an attacker to remotely overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user interaction. Successful exploitation of this issue will result in a remote network configuration overwrite. Microsoft acknowledged the issue but has indicated no plans to publish a patch to resolve it.

tags | advisory, remote
systems | windows
SHA-256 | 68feec1acf88fdf52a32016c6e49e528f8ca6ec2c6263a77340e61f67e88e005

Microsoft DHCP INFORM Configuration Overwrite

Change Mirror Download
Title:           Microsoft DHCP INFORM Configuration Overwrite
Version: 1.0
Issue type: Protocol Security Flaw
Affected vendor: Microsoft
Release date: 28/05/2014
Discovered by: Laurent GaffiƩ
Advisory by: Laurent GaffiƩ
Issue status: Patch not available
===============================================================================

Summary
-------

A vulnerability in Windows DHCP (http://www.ietf.org/rfc/rfc2131.txt) was
found on Windows OS versions
ranging from Windows 2000 through to Windows server 2003. This
vulnerability allows an attacker to remotely
overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and
server configuration with no user
interaction. Successful exploitation of this issue will result in a remote
network configuration
overwrite. Microsoft acknowledged the issue but has indicated no plans to
publish a patch to resolve it.


Technical details
-----------------

Windows 2003/XP machines are sending periodic DHCP INFORM requests and are
not checking if the DHCP INFORM answer (DHCP ACK) is from the registered
DHCP server/relay-server. Any local system may respond to these requests
and overwrite a Windows 2003/XP network configuration by sending a properly
formatted unicast reply.

Impact
------

Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing
settings on the target system.

Affected products
-----------------

Windows:
- 2000
- XP
- 2003

Proof of concept
----------------
The DHCP.py utility found within the Responder toolkit can be used to
exploit this vulnerability.

git clone https://github.com/Spiderlabs/Responder

Solution
--------
Set a DWORD registry key "UseInform" to "0" in each subfolder found in
HKLM\SYSTEM\CCS\Services\TCP\Interfaces\

Response timeline
-----------------
* 18/04/2014 - Vendor notified.
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment
while looking at the DHCP issue for education purposes. Since multiple
attempts were
made to have them be aware that any A-D environment by
default is vulnerable if Responder is running on the subnet. Also, MSRC was
asked what
code change made this DHCP INFORM issue different on Windows
Vista than Windows Server 2003.
* 21/04/2014 - MSRC answers with an automated response.
* 08/05/2014 - Request for a reply.
* 14/05/2014 - MSRC reply and refuses to share their view on the code
change, however they mention that 'The product team is investigating
whether the RFC for
a DHCPINFORM message is properly implemented'.
* 14/05/2014 - An email was sent to notify MSRC that no code change was
requested, but the logic behind it. Also, MSRC was asked if they were
successful with
Responder.
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if
they were successful with Responder in their environment.


References
----------
* Responder: https://github.com/Spiderlabs/Responder
* http://g-laurent.blogspot.ca/
* https://twitter.com/PythonResponder
*
http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    12 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close