Windows DNS Server code execution hole under attack

Summary:An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.

An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.

The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.

The flaw allows remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending a specially crafted request to a vulnerable system. 

Affected Windows versions include:
  • Windows 2000 Server Service Pack 4
  • Windows Server 2003 Service Pack 1
  • Windows Server 2003 Service Pack 2.

Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

In its pre-patch advisory, Microsoft has issued the following recommendations:

  • Disable remote management over RPC capability for DNS Servers via a registry key setting.  Instructions are available in "suggested actions" section of the advisory.
  • Block all unsolicited inbound traffic on ports between 1024 to 5000.  Because the RPC interface of Windows DNS is bound to a port in this range, locking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.  (George Ou has more on this, including instructions on firewall filtering).
  • Enable advanced TCP/IP filtering on systems to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Knowledge Base article 309798.
  • Block the affected ports 1024 to 5000 by using IPsec on the affected systems. Detailed information about IPsec and about how to apply filters is available in Knowledge Base article 313190 and Knowledge Base article 813878.

I have not seen public exploit code at any of the usual research Web sites but, as this issue escalates (as it surely will), proof-of-concepts will be made available. 

Also see advisories from the MSRC blog, Secunia, FrSIRT and the SANS Internet Storm CenterTechmeme discussion.

Topics: Servers, Security, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.