[NCAP-Discuss] [Ext] Revised draft of NCAP Study 1 report

Thu Feb 6 01:16:45 UTC 2020

Matt,

Jeff's explanation is a very helpful material to include in Study 1. Perhaps link to this list archive ?

Rubens

> On 5 Feb 2020, at 04:01, Matt Larson <matt.larson at icann.org> wrote:
> 
> 
>> On Jan 29, 2020, at 3:48 PM, Rubens Kuhl <rubensk at nic.br <mailto:rubensk at nic.br>> wrote:
>> 
>> I was under the impression that corp.com <http://corp.com/> was now part of ORDINAL, but the fact that it's for sale for USD 1.7 Mi goes against that assumption
>> Perhaps Jeff (JAS) could clarify it.
> 
> Jeff Schmidt sent the text below to clarify the situation with corp.com <http://corp.com/>. Please also see the attached PowerPoint presentation.
> 
> Matt
> 
> 
>> Begin forwarded message:
>> 
>> From: Jeff Schmidt <jschmidt at jasadvisors.com <mailto:jschmidt at jasadvisors.com>>
>> Subject: [Ext] For posting to the NACP list
>> Date: February 4, 2020 at 12:29:18 PM EST
>> To: David Conrad <david.conrad at icann.org <mailto:david.conrad at icann.org>>, Matt Larson <matt.larson at icann.org <mailto:matt.larson at icann.org>>
>> 
>> Hia gents:
>> 
>> I hear that there was an inquiry about corp.com <http://corp.com/> by the NCAP; please feel free to publish the below response _in its entirety_.  It is good to have this history a part of “the record.”  You may post/share this as you see fit.  Thanks!
>> 
>> Corp.com <http://corp.com/> has been owned by Mike O’Connor for just under forever.  Mike recognizes that corp.com <http://corp.com/> is unique and he has graciously made data available to a number of researchers – including JAS – over the years in the best interest of the Internet.  The corp.com <http://corp.com/> data – and the understanding of the underlying phenomena driving the traffic – contributed materially to the JAS collisions work/reports and to our discovery of MS15-011 thru 014 (CVE-2015-0008) as well as vulnerabilities JAS discovered and privately reported to PeopleSoft/Oracle, Symantec, Trend Micro, and IBM.
>> 
>> Through Mike’s quiet generosity, the Internet is a safer place today.
>> 
>> My interest, as a security professional, is that corp.com <http://corp.com/> remain in “responsible hands.”  There remains significant danger if corp.com <http://corp.com/> becomes controlled by an “irresponsible” party.  I have tried for years to get “responsible parties” interested in acquiring corp.com <http://corp.com/> – including several firms on this list – however none have expressed interest.  Fortunately, the US Department of Homeland Security (DHS) stepped-up – the *only* party to do so I might add – and provided a small grant for JAS to lease corp.com <http://corp.com/> from Mike, collect data, and make it available to qualified researchers.  During the years corp.com <http://corp.com/> was delegated to JAS, we spent far more money hosting, collecting, and storing data than we ever got from grants.  No one except the US DHS expressed any willingness to help.  My understanding is that ICANN wrote letters to Microsoft, Verisign, and other relevant parties informing them of these issues, but they did not engage.  I tried to engage Microsoft at a number of levels, but they were not interested.[1]  JAS got poor and Mike sat on a valuable asset for years in the altruistic interest of global Internet SSR.
>> 
>> A few months back, Mike and I concluded that we have done everything we can do; with Mike not getting any younger, he would sell the domain with a clear conscience.  JAS has no further business relationship with Mike or corp.com <http://corp.com/> and we are no longer technically hosting the domain.
>> 
>> I have attached a technical presentation I gave to IMPACT researchers in 2018.  It contains more technical information about the traffic observed at corp.com <http://corp.com/> and some cool “DITL” statistics.
>> 
>> A few high level observations during the 8-month period 2019-01-24 - 2019-09-18:
>> 
>> * 384,001 unique client IPs sent queries to corp.com <http://corp.com/>.  These clients are almost all recursives ranging from gigantic public recursives (Google, OpenDNS) to private recursives run by companies ranging from SMBs to large multi-nationals.
>> 
>> * 37,046,965 unique qnames were sent to corp.com <http://corp.com/>.  A plurality of these qnames are related to Microsoft technologies, particularly Active Directory.  A subset of these are exploitable by techniques similar to MS15-011 thru 014 and trivially exploitable using well-known tools like Responder/SMB-Relay[2].
>> 
>> * For additional perspective, in one month, the HTTP/S website JAS ran at corp.com <http://corp.com/> received requests from 379,403 unique clients for WPAD configuration files.  Note these are IP addresses of specific end machines received over HTTP/S, not DNS recursive servers as above. Therefore, this is one of several long- lived target lists of almost certainly vulnerable Microsoft Windows machines.  Another party made a big deal about purely theoretical WPAD vulnerabilities in the new gTLD space a few years back; colliding WPAD queries are much more common and much more dangerous in .com than in any other namespace just given the size and gravitas of .com.  Want an instant foothold into about 30 of the world’s largest companies according to the Forbes Global 2000?  Control corp.com <http://corp.com/>.  Anyone claiming namespace collisions in .com, country code, and other legacy TLD space aren’t dangerous just doesn’t understand – or doesn’t want to understand.
>> 
>> * JAS temporarily created MX records and accepted email destined to corp.com <http://corp.com/>.  After about an hour we received in excess of 12 million emails and discontinued the experiment.  While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.
>> 
>> * JAS temporarily accepted protocol level connections to SMB/CIFS and WebDAV over HTTP/S (!!) and found a large number of dangerous connections requesting \\SYSVOL <file:////SYSVOL>, \\NETLOGON <file:////NETLOGON>, \\USER <file:////USER>, and other dangerous Microsoft mount points directly exploitable by the techniques described in MS15-011 thru 014.  We discontinued the experiment after 15 minutes and destroyed the data.  It was terrifying.  A well-known offensive tester that consulted with JAS on this experiment remarked that during the experiment it was “raining credentials” and that “he’d never seen anything like it.”
>> 
>> * Microsoft incorrectly claims these issues are resolved.  Unless administrators overtly enable SMB Signing (via a new feature called “UNC Path Hardening” which they added as a response to our bugs), most modern, fully-patched Windows machines remain vulnerable.[3]
>> 
>> Someone will eventually purchase corp.com <http://corp.com/>.  I sincerely hope the acquiring party is “responsible.”  Once it’s lost, it’s gone forever.
>> 
>> Jeff Schmidt
>> 
>> [1] Microsoft Windows product groups acted honorably upon our reporting of the vulnerabilities and responded appropriately; however, other parts of the company were not interested in discussing corp.com <http://corp.com/>.
>> 
>> [2] https://github.com/lgandx/Responder <https://github.com/lgandx/Responder>
>> 
>> [3] https://security.stackexchange.com/questions/134388/how-does-unc-path-hardening-and-smb-signing-work-under-the-hood <https://security.stackexchange.com/questions/134388/how-does-unc-path-hardening-and-smb-signing-work-under-the-hood>
>> 
>> 
>> 
> <JAS DNS IMPACT[2].pptx>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ncap-discuss/attachments/20200205/b2e3cce6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/ncap-discuss/attachments/20200205/b2e3cce6/signature-0001.asc>