April 13th, 2007

Windows DNS Server code execution hole under attack

Posted by Ryan Naraine @ 7:28 am

Categories: Botnets, Browsers, Data theft, Exploit code, Hackers, Metasploit, Microsoft, Open source, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Knowledge Base Article, DNS Server, Server, Microsoft Windows, RPC, Attack, Ryan Naraine

An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.

The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.

The flaw allows remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending a specially crafted request to a vulnerable system. 

Affected Windows versions include:

• Windows 2000 Server Service Pack 4
• Windows Server 2003 Service Pack 1
• Windows Server 2003 Service Pack 2.

Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

In its pre-patch advisory, Microsoft has issued the following recommendations:

• Disable remote management over RPC capability for DNS Servers via a registry key setting.  Instructions are available in "suggested actions" section of the advisory.
• Block all unsolicited inbound traffic on ports between 1024 to 5000.  Because the RPC interface of Windows DNS is bound to a port in this range, locking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.  (George Ou has more on this, including instructions on firewall filtering).
• Enable advanced TCP/IP filtering on systems to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Knowledge Base article 309798.
• Block the affected ports 1024 to 5000 by using IPsec on the affected systems. Detailed information about IPsec and about how to apply filters is available in Knowledge Base article 313190 and Knowledge Base article 813878.

I have not seen public exploit code at any of the usual research Web sites but, as this issue escalates (as it surely will), proof-of-concepts will be made available. 

Also see advisories from the MSRC blog, Secunia, FrSIRT and the SANS Internet Storm Center.  Techmeme discussion.