Get best of the week

The domain corp.com is for sale. It is dangerous for hundreds of thousands of corporate computers running Windows


Scheme of data leakage through Web Proxy Auto-Discovery (WPAD) in case of name collision (in this case, the collision of the internal domain with the name of one of the new gTLDs, but the essence is the same). Source: University of Michigan study , 2016.

Mike O'Connor, one of the oldest domain name investors, puts up the most dangerous and controversial lot in his collection: the corp.com domainfor $ 1.7 million. In 1994, O'Connor bought a lot of simple ones. domain names such as grill.com, place.com, pub.com and others. Among them was corp.com, which Mike kept for 26 years. The investor is already 70 years old and he decided to monetize his long-standing investments.

The whole problem is that corp.com is potentially dangerous for at least 375,000 corporate computers because of the careless configuration of Active Directory during the construction of corporate intranets in the early 2000s based on Windows Server 2000, when the internal root was simply indicated as โ€œcorpโ€. Until the early 2010s, this was not a problem, but with the increasing number of laptops in the business environment, more and more employees began to move their work computers outside the corporate network. Features of the Active Directory implementation lead to the fact that even without a direct user request to // corp, a number of applications (for example, mail) knock at a familiar address on their own. But in the case of an external network connection in a conditional cafe around the corner, this leads to the fact that the flow of data and requests flows to corp.com .

Now O'Connor really hopes that Microsoft will buy the domain itself and, in the best traditions of Google, will rot it somewhere in a dark and inaccessible place for outsiders, the problem with such a fundamental vulnerability of Windows networks will be solved.

Active Directory and name collision


On enterprise networks, Windows uses the Active Directory directory service. It allows administrators to use group policies to ensure uniform customization of the user work environment, deploy software on multiple computers through group policies, perform authorization, etc.

Active Directory is integrated with DNS and runs on top of TCP / IP. To search for nodes within the network, the protocol uses the Web Proxy Auto-Discovery (WAPD) protocol and the DNS name devolution function (built into the Windows DNS Client). This feature makes it easy to find other computers or servers without having to specify a fully qualified domain name.

For example, if a company manages an internal network namedinternalnetwork.example.com, and the employee wants to access the shared drive under the name drive1, there is no need to enter drive1.internalnetwork.example.comin Explorer, just type \\ drive1 \ - and the Windows DNS client itself will add the name.

In earlier versions of Active Directory - for example, in Windows 2000 Server - the second level of the corporate domain was specified by default corp. And many companies have kept the default value for their internal domain. Even worse, many have begun to build vast networks on top of this erroneous setup.

In the days of desktop computers, this did not present a particular security problem, because no one pulled these computers out of the corporate network. But what happens when an employee working in a company with a network pathcorpin Active Directory takes a corporate laptop - and goes to the local Starbucks? Then the Web proxy auto-discovery (WPAD) proxy protocol and DNS name devolution function come into effect.



It is likely that some services on the laptop will continue to knock on the internal domain corp, but will not find it, and instead, requests will resolve to the corp.com domain from the open Internet.

In practice, this means that the owner of corp.com can passively intercept private requests from hundreds of thousands of computers that accidentally go beyond the corporate environment that uses the designation corpfor their domain in Active Directory.


Leak of WPAD requests in American traffic. From a study by the University of Michigan in 2016, source

Why domain is not sold yet


In 2014, ICANN experts published a large study of DNS name collisions. The study was partially funded by the US Department of Homeland Security because leaks from internal networks threaten not only commercial companies, but also government organizations, including secret services, intelligence agencies, and army units.

Mike wanted to sell corp.com last year, but researcher Jeff Schmidt convinced him to postpone the sale based on just the above report. The study also found that daily 375,000 computers are trying to contact corp.com without the knowledge of the owners. The requests contained attempts to enter corporate intranets and gain access to networks or file resources.

As part of his own experiment, Schmidt, together with JAS Global, imitated on corp.com a method of processing files and requests that uses a local Windows network. With this, they, in fact, opened a portal to hell for any information security specialist:

. 15 [ ] . , JAS , , ยซ ยป, .

[ corp.com] 12 , . , , [ ] .

Schmidt believes that for decades, administrators all over the world have been preparing the most dangerous botnet in history. Hundreds of thousands of full-fledged working computers around the world are ready not only to become part of the botnet, but also to provide confidential data about their owners and companies. All you need to use it is to control corp.com. In this case, any machine that is once connected to the corporate network, whose Active Directory was configured through // corp, becomes a part of the botnet.

Microsoft "scored" the problem 25 years ago


If you think that MS seemed to be unaware of the ongoing bacchanalia around corp.com, then you are seriously mistaken. Mike trolled Microsoft and personally Bill Gates back in 1997 with a page that brought users of FrontPage '97 beta version to corp.com as the default URL: When Mike got tired of it, corp.com began to redirect users to the sex shop site. In response, he received thousands of angry letters from users, which he redirected through a copy to Bill Gates. By the way, Mike himself, out of curiosity, picked up the mail server and received confidential letters on corp.com. He tried to solve these problems by contacting companies, but they simply did not know how to fix the situation:







, , . , , . , , [ ].

From the side of MS, active actions were not taken, and the company refuses to comment on the situation. Yes, Microsoft over the years has released several Active Directory updates that partially solve the problem of domain name collisions, but they have a number of problems. The company also issued recommendations on setting up internal domain names, recommendations on owning a second-level domain in order to avoid conflicts, and other tutorials that are usually not read.

But the most important thing is in the updates. First: to apply them, you must completely put the company's intranet. Second: some applications after such updates may start working more slowly, incorrectly, or stop working altogether. It is clear that most companies with a well-established corporate network will not take such risks. In addition, many of them do not even realize the full extent of the threat, which is fraught with a redirect of everything and everything on corp.com when moving a machine outside the internal network.

The maximum irony is achieved when you look at Schmidtโ€™s report on the investigation of domain name conflicts . So, according to his data, some requests to corp.com come from the intranet of Microsoft itself.



And what will happen next?


It would seem that the solution to this situation lies on the surface and was described at the beginning of the article: let Microsoft buy its domain from Mike and ban it somewhere in the back of the closet forever.

But not so simple. Microsoft was offering O'Connor to buy his toxic domain for companies around the world a few years ago. Just offered the giant to close such a hole in their own networks of only $ 20 thousand .

Now the domain is billed for $ 1.7 million. And even if Microsoft decides to buy it at the last moment, will it be in time?


More articles:


All Articles