Title: Microsoft DHCP INFORM Configuration Overwrite
Version: 1.0
Issue type: Protocol Security Flaw
Affected vendor: Microsoft
Release date: 28/05/2014
Discovered by: Laurent Gaffié
Advisory by: Laurent Gaffié
Issue status: Patch not available
==============================
Version: 1.0
Issue type: Protocol Security Flaw
Affected vendor: Microsoft
Release date: 28/05/2014
Discovered by: Laurent Gaffié
Advisory by: Laurent Gaffié
Issue status: Patch not available
==============================
============================== ===================
Summary
-------
A vulnerability in Windows DHCP (http://www.ietf.org/rfc/ rfc2131.txt) was found on Windows OS versions
ranging from Windows 2000 through to Windows server 2003. This vulnerability allows an attacker to remotely
overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user
interaction. Successful exploitation of this issue will result in a remote network configuration
overwrite. Microsoft acknowledged the issue but has indicated no plans to publish a patch to resolve it.
Technical details
-----------------
Windows 2003/XP machines are sending periodic DHCP INFORM requests and are not checking if the DHCP INFORM answer (DHCP ACK) is from the registered DHCP server/relay-server. Any local system may respond to these requests and overwrite a Windows 2003/XP network configuration by sending a properly formatted unicast reply.
Impact
------
Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing settings on the target system.
Affected products
-----------------
Windows:
- 2000
- XP
- 2003
Proof of concept
----------------
The DHCP.py utility found within the Responder toolkit can be used to exploit this vulnerability.
git clone https://github.com/Spiderlabs/ Responder
Solution
--------
Set a DWORD registry key "UseInform" to "0" in each subfolder found in HKLM\SYSTEM\CCS\Services\TCP\ Interfaces\
Response timeline
-----------------
* 18/04/2014 - Vendor notified.
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment while looking at the DHCP issue for education purposes. Since multiple attempts were
made to have them be aware that any A-D environment by default is vulnerable if Responder is running on the subnet. Also, MSRC was asked what
code change made this DHCP INFORM issue different on Windows Vista than Windows Server 2003.
* 21/04/2014 - MSRC answers with an automated response.
* 08/05/2014 - Request for a reply.
* 14/05/2014 - MSRC reply and refuses to share their view on the code change, however they mention that 'The product team is investigating whether the RFC for
a DHCPINFORM message is properly implemented'.
* 14/05/2014 - An email was sent to notify MSRC that no code change was requested, but the logic behind it. Also, MSRC was asked if they were successful with
Responder.
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if they were successful with Responder in their environment.
References
----------
* Responder: https://github.com/Spiderlabs/ Responder
* https://twitter.com/ PythonResponder
* http://blog.spiderlabs.com/ 2014/02/responder-20-owning- windows-networks-part-3.html
Summary
-------
A vulnerability in Windows DHCP (http://www.ietf.org/rfc/
ranging from Windows 2000 through to Windows server 2003. This vulnerability allows an attacker to remotely
overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user
interaction. Successful exploitation of this issue will result in a remote network configuration
overwrite. Microsoft acknowledged the issue but has indicated no plans to publish a patch to resolve it.
Technical details
-----------------
Windows 2003/XP machines are sending periodic DHCP INFORM requests and are not checking if the DHCP INFORM answer (DHCP ACK) is from the registered DHCP server/relay-server. Any local system may respond to these requests and overwrite a Windows 2003/XP network configuration by sending a properly formatted unicast reply.
Impact
------
Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing settings on the target system.
Affected products
-----------------
Windows:
- 2000
- XP
- 2003
Proof of concept
----------------
The DHCP.py utility found within the Responder toolkit can be used to exploit this vulnerability.
git clone https://github.com/Spiderlabs/
Solution
--------
Set a DWORD registry key "UseInform" to "0" in each subfolder found in HKLM\SYSTEM\CCS\Services\TCP\
Response timeline
-----------------
* 18/04/2014 - Vendor notified.
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment while looking at the DHCP issue for education purposes. Since multiple attempts were
made to have them be aware that any A-D environment by default is vulnerable if Responder is running on the subnet. Also, MSRC was asked what
code change made this DHCP INFORM issue different on Windows Vista than Windows Server 2003.
* 21/04/2014 - MSRC answers with an automated response.
* 08/05/2014 - Request for a reply.
* 14/05/2014 - MSRC reply and refuses to share their view on the code change, however they mention that 'The product team is investigating whether the RFC for
a DHCPINFORM message is properly implemented'.
* 14/05/2014 - An email was sent to notify MSRC that no code change was requested, but the logic behind it. Also, MSRC was asked if they were successful with
Responder.
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if they were successful with Responder in their environment.
References
----------
* Responder: https://github.com/Spiderlabs/
* https://twitter.com/
* http://blog.spiderlabs.com/