Microsoft has released patches for Critical RCE Flaw in Windows DNS Server

Microsoft has released patches for Critical RCE Flaw in Windows DNS Server

A critical flaw that has been sitting in Microsoft’s Windows DNS Server for almost two decades could be exploited to gain Domain Administrator privileges and compromise the entire corporate infrastructure behind it.

This vulnerability received the tracking identifier CVE-2020-1350 and the name SIGRed. It is a remote code execution that affects Windows Server versions 2003 through 2019 and received the maximum severity rating of 10 out of 10.

It is wormable, meaning that without any user interaction this exploit can propagate automatically to vulnerable machines on the network . This characteristic puts it in the same risk category as BlueKeep in the Remote Desktop Protocol (RDP) and EternalBlue in Server Message Block (SMB).

Malformed DNS Package

The Domain Name System (DNS) is the internet’s phone book, enabling clients to connect to the servers to access resources. It is a model that mapped domain names to IP addresses to enable a connection to the correct server.

The model is decentralized and hierarchical, so if a DNS server will forward up the ladder the queries to which it does not have an answer. At the top of the hierarchy are 13 root Domain Name System servers that have all the information.

Security Researchers at Check Point discovered a vulnerability in Microsoft’s DNS implementation that can be exploited when the server parses an incoming query or a response for a forwarded request. They found an integer overflow that could leads to heap-based buffer overflow in dns.exe!SigWireRead, a function that parses response types for SIG queries.

Researcher summarize this, by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer. The researcher explains how they were able to exploit this vulnerability in a target DNS server by replying to one of its queries with a SIG response large enough to trigger the bug.

To make the target Windows DNS Server parse responses from their machine, the security researchers did the following:

1. Configure our domain’s (deadbeef.fun) NS Records to point at our malicious DNS Server (ns1.41414141.club)
2. Query the victim Windows DNS Server for NS Records of deadbeef.fun
3. The victim DNS, not yet knowing the answer for this query, forwards the query to the DNS server above it (8.8.8.8)
4. The authoritative server (8.8.8.8) knows the answer, and responds that the NameServer of deadbeef.fun is ns1.41414141.club
5. The victim Windows DNS Server processes and caches this response
6. The next time we query for a subdomain of deadbeef.fun, the target Windows DNS Server will also query ns1.41414141.club for its response, as it is the NameServer for this domain.

The Security researchers found that an attacker exploiting SIGRed does not have to be on the same network as the target DNS server, since DNS data can be carried over a TCP connection, supported by Windows DNS. The target server will parse the data as a DNS query even it is packaged as a HTTP payload.

Check Point noted that because Windows DNS server supports Connection Reuse and Pipelining, a threat actor can launch several queries over a TCP connection without having to wait for a reply. These features can be abuse by sending an HTTP POST request to the server with binary data that contains another DNS query in the POST data, to be processed separately. This is possible even in browsers, such as as Microsoft Edge and Internet Explorer that allow requests to port 53 used by DNS. Mozilla Firefox and Google Chrome do not allow HTTP requests to this port.

Check Point illustrates in a video that how they crash an internal Windows DNS server using a browser as a vetor.

Windows DNS Server RCE by Checkpoint Research

Flaw existed for 17 years

This bug has existed in Microsoft’s code for more than 17 years. If researchers found it, Omri Herscovici (Vulnerability Research Team Leader at Check Point) says that it is not far fetched to assume that other actors may have found it as well.

Omri Herscovici says that a DNS server breach is a critical issue. Most of the time, it puts the threat actor just one inch away from breaching the entire organization. There are only a handful of these flaws types ever released. This is sufficient incentive for both big and small organizations to prioritize applying the patches Microsoft released today for SIGRed.

For those that cannot apply patch at this time, Microsoft recommends modifying the registry to fix this issue. The changes will automatically applied after restarting the DNS service.

Microsoft has released patches for Critical RCE Flaw in Windows DNS Server
Modify Registry to fix issue

After applying the patch, administrators should revert the changes to the original state by removing the value TcpReceivePacketSize and its data.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.

0/Comments

Previous Post Next Post