Windows DNS bug

Microsoft has just fixed a nasty bug affecting the DNS client included with Windows 8, Windows 10, Windows Server 2012 and Windows Server 2016.

The bug — tracked as CVE-2017-11779 — affects the DNSAPI.dll, the core Windows file that makes DNS requests and receives responses from DNS server.

The issue affects only Windows 8 or later because the flaw is in how the DNSAPI.dll file handles DNS requests made through the DNSSEC protocol, a more secure version of the classic DNS protocol. Windows 8 was the first Windows version to support this protocol.

Bug allows execution of malicious code with SYSTEM privileges

Discovered by BishopFox security researcher Nick Freeman, the bug allows an attacker to send malformed DNS responses to Windows computers and execute code in the context of the application that made the request.

To exploit the bug, an attacker would have to set up a malicious DNS server and poison a target's local network to hijack DNS traffic. At that point, the attacker would need to only wait for an application with admin or system-level privileges to make a DNS request.

This isn't a problem, as most of today's apps make DNS requests, and most users utilize a Windows admin-level account for their day-to-day operations.

Furthermore, the same DLL also handles DNS requests made by many of the core Windows services, so at one point in time or another, the attacker would eventually have the malformed DNS response handled by one of these core services, which would execute the malicious code added inside with system-level privileges.

If this wasn't bad enough, researchers explain that the core Windows DNS caching service that uses the DNSAPI.dll file will restart automatically if it crashes. This makes it possible that an attacker has unlimited attempts to exploit bug until he gets system-level access.

Attacker needs direct path to targets

The only good news for users is that the malformed DNS packets needed to exploit this bug can't pass through legitimate DNS servers because they will be dropped.

This means that an attacker must be on the same network as the victim (e.g.: coffee shop, work WiFi network, other LAN networks) or they must trick users to use the malicious DNS servers as defaults in their OS (which requires some serious social engineering skills).

Microsoft fixed this bug with an update part of the October 2017 Patch Tuesday, released earlier today. BishopFox researchers also published a video detailing their findings. Their technical report on CVE-2017-11779 is available here.