Attacks Abuse Microsoft DHCP To Spoof DNS Records And Steal Secrets

A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers.

We’re told the attacks – which are usable against servers running the default configuration of Microsoft Dynamic Host Configuration Protocol (DHCP) servers – don’t require any credentials.

Akamai says it reported the issues to Redmond, which isn’t planning to fix the issue. Microsoft did not respond to The Register‘s inquiries.

The good news, according to Akamai, is that it hasn’t yet seen a server under this type of attack. The bad news: the firm’s flaw finders also told us that massive numbers of organizations are likely vulnerable, considering 40 percent of the “thousands” of networks that Akamai monitors are running Microsoft DHCP in the vulnerable configuration.

In addition to detailing the security issue, the cloud services biz also provided a tool that sysadmins can use to detect configurations that are at risk.

While the current report doesn’t provide technical details or proof-of-concept exploits, Akamai has promised, in the near future, to publish code that implements these attacks called DDSpoof – short for DHCP DNS Spoof.

“We will show how unauthenticated attackers can collect necessary data from DHCP servers, identify vulnerable DNS records, overwrite them, and use that ability to compromise AD domains,” Akamai security researcher Ori David said.

The DHCP attack research builds on earlier work by NETSPI’s Kevin Roberton, who detailed ways to exploit flaws in DNS zones.

DHCP is a commonly used network management protocol, and Microsoft’s DHCP server is widely used in corporate networks. Organizations can create DNS record using a DHCP feature called DHCP DNS Dynamic Updates.

“Whenever a client is given an IP address by the DHCP server, the latter can contact the DNS server and update the client’s DNS record,” Akamai’s Ori David explained.

When the DHCP server registers or modifies a DNS record on behalf of its clients, it uses DNS Dynamic Updates — and therein lies the problem. DHCP DNS Dynamic Updates does not require any authentication by the DHCP client, and Microsoft DHCP servers enable DHCP DNS Dynamic Updates by default.

“So an attacker can essentially use the DHCP server to authenticate to the DNS server on behalf of themself,” David said. “This grants the attacker access to the ADIDNS zone without any credentials.”

While Roberton’s earlier ADIDNS (Active Directory Integrated DNS) spoofing attacks required valid domain credentials, using the DHCP server doesn’t, and thus makes the attacks a lot more accessible to a wider array of miscreants.

This type of DHCP DNS spoofing attack was also covered by Hans Lakhan of TrustedSec.

In addition to creating non-existent DNS records, unauthenticated attackers can also use the DHCP server to overwrite existing data, including DNS records inside the ADI zone in instances where the DHCP server is installed on a domain controller, which David says is the case in 57 percent of the networks Akamai monitors.

“All these domains are vulnerable by default,” he wrote. “Although this risk was acknowledged by Microsoft in their documentation, we believe that the awareness of this misconfiguration is not in accordance with its potential impact.”

In addition to abusing Microsoft’s DHCP to create or overwrite DNS records, the team found another feature, DNSUpdateProxy group, that also poses a security risk – and potentially contains a bug.

DNSUpdateProxy is intended to allow clients to update DNS records and is especially useful in the case of upgrading from a legacy client to a newer Windows build. It also solves the problem of multiple DHCP servers needing to work together.

The issue with this group is that “any record that was created by members of this group could be ‘stolen’ by any authenticated user,” the flaw finders note. “This is not a vulnerability, it’s just an abuse of the feature’s design. This risk is acknowledged by Microsoft.”

However, Akamai also spotted what it says appears to be a bug in the DNSUpdateProxy feature. “When a member of the group creates its own DNS record, it’s created with the same vulnerable ACL, for which authenticated users have write permissions,” David said.

Again, we’re still waiting to hear from Microsoft about all of these issues and will update this story if and when we do. But in the meantime, we’d suggest following Akamai’s advice and disable DHCP DNS Dynamic Updates if you don’t already and avoid DNSUpdateProxy altogether.

“Use the same DNS credential across all your DHCP servers instead,” is the advice. ®