A critical vulnerability that’s been sitting in Microsoft’s Windows DNS Server for almost two decades could be exploited to gain Domain Administrator privileges and compromise the entire corporate infrastructure behind it.
The vulnerability received the tracking identifier CVE-2020-1350 and the name SIGRed. It is a remote code execution that affects Windows Server versions 2003 through 2019 and received the maximum severity rating, 10 out of 10.
It is wormable, meaning that an exploit can propagate automatically to vulnerable machines on the network with no user interaction. This characteristic puts it in the same risk category as EternalBlue in Server Message Block (SMB) and BlueKeep in the Remote Desktop Protocol (RDP).
Malformed DNS package
The Domain Name System (DNS) is the internet’s phone book, enabling clients to connect to servers to access resources. It is a model that maps domain names to IP addresses to enable a connection to the correct server.
The model is hierarchical and decentralized, so if a DNS server will forward up the ladder the queries to which it does not have an answer. At the top of the hierarchy are 13 root DNS servers that have all the information.
Researchers at Check Point discovered a flaw in Microsoft’s DNS implementation that can be exploited when the server parses an incoming query or a response for a forwarded request.
They found an integer overflow that leads to heap-based buffer overflow in “dns.exe!SigWireRead,” the function that parses response types for SIG queries.
“To summarize, by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer” - Check Point
In a technical blog today, the researchers detail how they were able to exploit the flaw in a target DNS server by replying to one of its queries with a SIG response large enough to trigger the bug.
To make the target Windows DNS Server parse responses from their machine, the researchers did the following:
- Configure our domain’s (deadbeef.fun) NS Records to point at our malicious DNS Server (ns1.41414141.club)
- Query the victim Windows DNS Server for NS Records of deadbeef.fun
- The victim DNS, not yet knowing the answer for this query, forwards the query to the DNS server above it (8.8.8.8)
- The authoritative server (8.8.8.8) knows the answer, and responds that the NameServer of deadbeef.fun is ns1.41414141.club
- The victim Windows DNS Server processes and caches this response
- The next time we query for a subdomain of deadbeef.fun, the target Windows DNS Server will also query ns1.41414141.club for its response, as it is the NameServer for this domain.
The researchers found that a threat actor exploiting SIGRed does not have to be on the same network as the target DNS server, since DNS data can be carried over a TCP connection, supported by Windows DNS.
As such, the target server will parse the data as a DNS query even it is packaged as an HTTP payload.
Check Point notes that because Windows DNS server supports “Connection Reuse” and “Pipelining,” an attacker can launch several queries over a TCP connection without having to wait for a reply.
These features allow sending to the server an HTTP POST request with binary data that has another DNS query in the POST data, to be processed separately.
This is possible even in browsers, such as as Internet Explorer and Microsoft Edge that allow requests to port 53 used by DNS. Google Chrome and Mozilla Firefox do not allow HTTP requests to this port.
Check Point illustrates using a browser as a vector to crash an internal Windows DNS server in the video below.
Vulnerability existed for 17 years
The vulnerability has existed in Microsoft’s code for more than 17 years. If researchers found it, Omri Herscovici, Check Point’s Vulnerability Research Team Leader, says that it is not far fetched to assume that other actors may have found it as well.
“A DNS server breach is a critical issue. Most of the time, it puts the attacker just one inch away from breaching the entire organization. There are only a handful of these vulnerability types ever released” - Omri Herscovici
This is sufficient incentive for organizations big and small to prioritize applying the patches Microsoft released today for SIGRed.
For those that cannot apply the patch at this time, Microsoft recommends modifying the registry to mitigate the issue. The change takes effect after restarting the DNS service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00
After applying the patch, admins should revert the changes to the original state by removing the value TcpReceivePacketSize and its data.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
r0bbienz - 4 years ago
be careful if you type 0xFF00 into the registry dword it comes back as 0x0041ff00 which i think is wrong?? 0xFF00 does come from a microsoft document
If you type ff00 into the dword it looks ok
Can someone else confirm this?
DaManOnWindows - 4 years ago
FYI. Called MS and they did not know about the FF00 vs 0xFF00. This was the only info on the Internet about that at the time. Spent 3hrs arguing with them. In addition they told me NOT to implement the workaround as it doesn't work. Only the patch to resolve the issue. Thanks.
_SaM_ - 4 years ago
This nearly caught me out too as I believe it should be FF00 which produces 0x0000ff00 (65280). Updating the registry via command prompt seems like a safer option:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f
net stop DNS && net start DNS
shinomen - 4 years ago
Is it just me or do the patches in the links not match up to being a DNS fix?
I went here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
Which shows me all the different patches for CVE-2020-1350
So when I click the link for 4558998 for example:https://support.microsoft.com/en-us/help/4558998/windows-10-update-kb4558998
It says nothing about DNS.
Are these the right patches?
hapaxoromenon - 4 years ago
"So when I click the link for 4558998 for example:https://support.microsoft.com/en-us/help/4558998/windows-10-update-kb4558998
It says nothing about DNS.
Are these the right patches?"
Yes - the DNS fix is included under the heading "Updates to improve security when Windows performs basic operations".
shinomen - 4 years ago
Okay, thanks for the confirmation. I thought it was kind of vague language considering how urgent this fix is. Thanks again!