Windows DNS server exposed "worm-level" vulnerability, has existed for 17 years

Vulnerability Introduction

The SigRed vulnerability is highly dangerous because it is wormable, that is, it can self-propagate and spread to vulnerable devices without user interaction, allowing unauthenticated remote attackers to gain domain administrator privileges on the target server and fully control the organization's IT infrastructure.

How the vulnerability works

An attacker could exploit the SigRed vulnerability by sending malicious DNS queries to Windows DNS servers and achieve arbitrary code execution, allowing hackers to intercept and manipulate users' email and network traffic, make services unavailable, and harvest users' emails.

When a DNS server cannot resolve the IP address for a given domain name (such as www.google.com), the query is forwarded to the authoritative DNS server (NS), which is called forwarding query.

To exploit this query logic, SigRed first needs to configure a domain's ("deadbeef.fun") NS resource record to point to the malicious name server ("ns1.41414141.club") and then query the target DNS server's domain in order to obtain resolution responses from the name server for all subsequent queries related to the domain or its subdomains.

With these settings in place, an attacker can send a SIG record larger than 64KB in size, which can cause a controlled heap buffer overflow of approximately 64KB on a small allocated buffer, trigger a malicious DNS query, and then trigger an integer overflow vulnerability in the function that parses the incoming response to the forwarded query ("dns.exe!sigwirelead").

In other words, the vulnerability targets the function responsible for allocating memory for resource records. Once a number of bytes greater than 65535 is generated, an integer overflow will occur and the allocation will become smaller. However, a DNS message is limited to 512 bytes over UDP (or 4096 bytes if the server supports extension mechanisms) and 65535 bytes over TCP, so a SIG response with a long signature alone is not enough to trigger this vulnerability. However, an attacker can cleverly exploit the DNS name compression feature in the DNS response, thereby increasing the buffer size using the above operation and still achieving the purpose of buffer overflow.

In addition, SigRed can be triggered remotely through browsers in certain situations, such as Internet Explorer and non-Chromium-based Microsoft Edge browsers. Attackers can take advantage of the Windows DNS server's support for connection reuse and query pipelining to "secretly forward" DNS queries within the HTTP request payload to the target DNS server when visiting websites under their control. It is even possible to implement the write what where feature and further exploit the vulnerability to leak memory addresses, allowing the adversary to hijack the execution flow and make it execute unexpected instructions.

Surprisingly, the DNS client ("dnsapi.dll") is not vulnerable to the same bug, which makes the researchers suspect that "Microsoft set up two completely different code bases for the DNS server and the DNS client and did not sync the vulnerability patches between them." ”

Mitigation

Windows DNS server is a core network component. Once the DNS server is leaked, it is a very serious security issue. In most cases, it puts attackers just one inch away from destroying the entire organization. Enterprises must pay attention to it. Although Microsoft said there is no evidence that the vulnerability has been exploited, it recommends that users install the security patch immediately: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

Additionally, users can set the maximum length of DNS messages (via TCP) to "0xFF00" to eliminate the possibility of buffer overflows.

This concludes the article about the 17-year-old "worm-level" vulnerability in Windows DNS servers. For more information about the Windows DNS server vulnerability, please search 123WORDPRESS.COM's previous articles or continue browsing the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!