Data leakage scheme through Web Proxy Auto-Discovery (WPAD) in case of name collision (in this case, an internal domain collision with the name of one of the new gTLDs, but the essence is the same). Source: , 2016
Mike O'Connor, one of the oldest investors in domain names, the most dangerous and controversial lot of his collection: domain corp.com for $1,7 million. In 1994, O'Connor bought many simple domain names such as grill.com, place.com, pub.com, and others. Among them was corp.com, which Mike kept for 26 years. The investor is already 70 years old and he decided to monetize his old investments.
The whole problem is that corp.com is potentially dangerous for at least 375 corporate computers due to the careless configuration of Active Directory during the construction of corporate intranets in the early 000s based on Windows Server 2000, when the internal root was simply specified as βcorpβ. Until the early 2010s, this was not a problem, but with the rise of laptops in the business environment, more and more employees began to move their work computers outside the corporate network. Features of the implementation of Active Directory lead to the fact that even without a direct user request to //corp, a number of applications (for example, mail) knock on a familiar address on their own. But in the case of an external connection to the network in a conditional cafe around the corner, this leads to the fact that the flow of data and requests flows to corp.com.
Now O'Connor hopes very much that Microsoft itself will buy the domain and, in the best traditions of Google, rot it somewhere in a dark and inaccessible place, the problem with such a fundamental vulnerability of Windows networks will be solved.
Active Directory and name collision
In corporate networks under Windows, the Active Directory directory service is used. It allows administrators to use group policies to ensure a uniform user workspace setup, deploy software to multiple computers through group policies, perform authorization, and more.
Active Directory is integrated with DNS and runs over TCP/IP. The Web Proxy Auto-Discovery (WAPD) protocol and the function (built into Windows DNS Client). This feature makes it easy to find other computers or servers without having to provide a fully qualified domain name.
For example, if a company operates an internal network named internalnetwork.example.com, and the employee wants to access a shared drive called drive1, no need to enter drive1.internalnetwork.example.com in Explorer, just type \drive1 - and the Windows DNS client will complete the name itself.
In earlier versions of Active Directory, such as Windows 2000 Server, the second level of the corporate domain was by default set to corp. And many companies have kept the default for their internal domain. Worse, many have begun to build vast networks on top of this erroneous setup.
In the days of desktop computers, this was not much of a security problem, because no one pulled these computers out of the corporate network. But what happens when an employee who works for a company with a network path corp in the Active Directory service takes a corporate laptop - and goes to the local Starbucks? This is when the Web Proxy Auto-Discovery (WPAD) protocol and the DNS name devolution feature come into play.
It is highly likely that some services on the laptop will continue to knock on the internal domain corp, but will not find it, and instead requests are resolved to the corp.com domain from the open Internet.
In practice, this means that the owner of corp.com can passively intercept private requests from hundreds of thousands of computers that inadvertently go outside the corporate environment using the designation corp for your domain in Active Directory.
Leakage of WPAD requests in US traffic. From a University of Michigan study in 2016,
Why the domain has not been sold yet
In 2014, ICANN experts published name collisions in DNS. The study was funded in part by the US Department of Homeland Security because leaks of information from internal networks threaten not only commercial companies, but also government organizations, including secret services, intelligence agencies and military units.
Mike wanted to sell corp.com last year, but researcher Jeff Schmidt convinced him to delay the sale based on the aforementioned report. The study also revealed that 375 computers daily try to contact corp.com without the knowledge of the owners. The requests contained attempts to enter corporate intranets, access networks or file shares.
As part of his own experiment, Schmidt collaborated with JAS Global on corp.com to mimic the way files and requests are handled by a Windows LAN. By doing this, they, in fact, opened a portal to hell for any information security specialist:
It was terrible. We terminated the experiment after 15 minutes and destroyed [all received] data. A well-known tester who advised JAS on the matter noted that the experiment was like "raining down confidential information" and that he had never seen anything like it.
[We set up mail on corp.com] and after about an hour received over 12 million emails, after which we stopped the experiment. Although the vast majority of emails were automated, we found that some of them were sensitive [to security] and therefore we destroyed the entire data set without further analysis.
Schmidt believes that administrators around the world have been unknowingly preparing the most dangerous botnet in history for decades. Hundreds of thousands of full-fledged working computers around the world are ready not only to become part of a botnet, but also to provide confidential data about their owners and companies. All you need to use it is to control corp.com. At the same time, any machine that is once connected to the corporate network and whose Active Directory has been configured via //corp becomes part of the botnet.
Microsoft "scored" the problem 25 years ago
If you think that MS, as it were, was not aware of the ongoing bacchanalia around corp.com, then you are seriously mistaken. Here's a page that users of the beta version of FrontPage '97, which listed corp.com as the default URL, landed on:
When Mike got tired of this, corp.com began to redirect users to the site of the sex shop. In response, he received thousands of angry emails from users, which he redirected via copy to Bill Gates.
By the way, Mike also, out of curiosity, set up a mail server and received confidential letters on corp.com. He tried to solve these problems himself by contacting companies, but they simply did not know how to fix the situation:
Immediately, I began receiving confidential emails, including pre-drafted corporate financial statements to the US Securities and Exchange Commission, human resources reports, and other scary stuff. For a while I tried to correspond with corporations, but most of them didn't know what to do with it. So I finally just turned it off [the mail server].
On the part of MS, active actions were not taken, and the company refuses to comment on the situation. Yes, Microsoft has released several updates to Active Directory over the years that partially address the problem of domain name collisions, but they have a number of problems. The company also released recommendations on setting up internal domain names, recommendations on second-level domain ownership to avoid collisions, and other tutorials that are usually not read.
But the most important thing lies in the updates. First, to apply them, you must completely put the company's intranet. Secondly, some applications after such updates may start to work more slowly, incorrectly, or stop working altogether. It is clear that most companies with a built-in corporate network over a short distance will not take such risks. In addition, many of them do not even realize the full scale of the threat, which is fraught with a redirect of everything and everyone to corp.com when moving the machine outside the internal network.
Maximum irony is reached when you view . So, according to his data, some requests to corp.com come from Microsoft's own intranet.
And what will happen next?
It would seem that the solution to this situation lies on the surface and was described at the beginning of the article: let Microsoft buy his domain from Mike and ban him somewhere in a back closet forever.
But not everything is so simple. Microsoft offered O'Connor to buy his toxic domain for companies around the world a few years ago. That's just the giant offered only $20 for closing such a hole in its own networks.
Now the domain is being offered for $1,7 million. And even if Microsoft decides to buy it out at the last moment, will they manage to do it?
Only registered users can participate in the survey. , you are welcome.
What would you do if you were O'Connor?
-
59,6%Let Microsoft buy the domain for $1,7 million, or someone else will buy it.501
-
3,4%I would sell for $20, I don't want to go down in history as the person who leaked such a domain to who knows.29
-
3,3%I would bury it myself forever if Microsoft can't make the right decision.28
-
21,2%I would specifically sell the domain to hackers on the condition that they destroy Microsoft's reputation in the corporate environment. They have known about the problem since 1997!178
-
12,4%I would raise a botnet + mail server myself and begin to decide the fate of the world.104
840 users voted. 131 user abstained.
Source: habr.com