Overnight the Metasploit DNS exploit module continues to evolve to more devistating effect.  Perhaps most importantly, a new module was introduced based on feedback from Cedric Blancher named Auxiliary::Spoof::Dns::BailiWickedDomain, which replaces the nameservers for a domain, allowing an attacker to redirect all traffic for the entire domain through them.  Showcasing the ease of use of the Metasploit Framework, this entire exploit is written in 330 lines, including comments!

As previously predicted, HD Moore has checked in an exploit for the DNS vulnerability originally discovered by Dan Kaminsky.  This auxiliary module is named "DNS BailiWicked Attack" (Auxiliary::Spoof::Dns::BailiWickedHost).  Written by |)ruid and hdm, this appears to be a fully functioning, easy to use exploit.

From the exploit module code:

As mentioned previously, many GUI applications running under the RemoteApp feature in Windows Server 2008 or Citrix Application Publishing can be coaxed into running an unintended application for a remote advisory.  Although it appears that the user is only running a single application, the server launches a full desktop environment in the background. 

It's also easy to do without the proper security in place.  For example, although an administrator can hide the address bar and menu bar in IE, an attacker could just as well right click, choose View Source, then File > Open from the Notepad window that appears.  Although this can also be blocked, there are other methods waiting in the wings.  In fact, I've found at least 10 ways to break out of Internet Explorer alone.  The following technique can help prevent these issues.

Recently ICANN changed the IP address for the L.root-servers.net DNS root name server from 198.32.64.12 to 199.7.83.42.  What happened next is interesting.

According to Renesys Blog, three separate sites advertised the IP space containing the previous IP of the L root name server.  One of these sites, ep.net (AS4555) apparently had a legitamate reason to do so - they are the owners of the space.  Two others, Community DNS (AS42909) and Diyixian.com (AS9584) also followed suit.  It's possible that they had permission from the owner to do so.  What's interesting is that these providers apparently operated functioning DNS servers on those IP addresses.  This could be done to redirect (hijack) traffic, but it does not appear to be the case, according to the article.  Apparently no one noticed that this happened because the sites continued to serve up valid root zone responses.

As they point out in the article, why would anyone want do do so?  Root DNS traffic would be a staggering amount of traffic, and the hardware alone to respond to those requests would be pretty impressive.

Hijacked IP space (both accidental and purposeful) is a common phenomenon.  Although BGP announcements should be filtered at the upstream Service Provider (SP), often they are not.  It may be possible that an attacker could exploit this to drive a portion of the Internet traffic through them, or to perform a denial of service on the DNS infrastructure.

Hopefully we'll hear more about what caused the (probably innocuous) advertisements of L.root-servers.net.

Microsoft has included a new feature in Windows Server 2008 to allow sharing individual applications through Terminal Services.  This is not a new concept - Citrix has been offering something similar for a long time.  They also are now offering a Terminal Services Gateway and TS Web Gateway for accessing Terminal Services, and RemoteApps, from the Internet.  What isn't well known, but also isn't new, is the ability to 'break out' of these applications and access other applications and files on the Terminal Server.   It is very easy to break out of GUI apps even for non-technical people.  Below I will highlight a few examples of running other applications from a RemoteApp, and later I will follow with a number of configuration suggestions for securing your server. 

Three Consoles for the Network Devices under the cloud,
Seven for the Firewalls with their walls of stone,
Nine for IDSes Gartner said were doomed to die,
One for the SIEM on his dark throne
In the Land of Networks where the Hackers lie.
One TNC to rule them all, One TNC to find them,
One TNC to bring them all and in the darkness bind them
In the Land of Networks where the Hackers lie.

(with apologies to J. R. R. Tolkien)

Search for "Vista UAC" and you'll find a number of sites which tell you how to disable UAC prompting in Vista - within the top ten results.  What if it was possible to get the advantages of UAC without the explicit (and in some cases, excessive) prompting?  In at least some cases, it may be.

I have been following the RSS feed for the Metasploit framework trac timeline. There has just been a flury of activity that, from the descriptions, makes it sound like 3.1 will be released soon. There has been a bunch of new and improvied features in SVN, perhaps the biggest is that the GUI is going mainline on both Windows and Linux platforms.

Here we go again. Another 0-day vulnerability (this one appears to not be responsibly disclosed) in Apple Quicktime. As implied by "0-day" there is no patch, and no workarounds are immediately obvious. Later tonight I will write and test a Snort signature for this.

The announcement is at http://aluigi.altervista.org/adv/quicktimebof-adv.txt and public exploit code is availble on that site and on milw0rm - http://www.milw0rm.com/exploits/4885