Zero-day RPC flaw in Microsoft DNS exploited in the wild

Zero-day RPC flaw in Microsoft DNS exploited in the wild

Summary: According to David Maynor of Erratasec, a zero-day exploit against Microsoft DNS server is being seen in the wild. This affects the most up-to-date Windows Server 2000, 2003, and 2003 R2 for all service packs. This is somewhat unusual for Microsoft's DNS service because it's been rock solid for many years without any DNS server flaws. Fortunately the attacks seem to be limited because this vulnerability isn't normally exposed to the Internet on a properly configured firewall. I'll also show you how to protect your Microsoft DNS servers below.

SHARE:
TOPICS: Networking
55

According to David Maynor of Erratasec, a zero-day exploit against Microsoft DNS server is being seen in the wild. This affects the most up-to-date Windows Server 2000, 2003, and 2003 R2 for all service packs. This is somewhat unusual for Microsoft's DNS service because it's been rock solid for many years without any DNS server flaws. Fortunately, the attacks seem to be limited because this vulnerability isn't normally exposed to the Internet on a properly configured firewall. I'll show you how to protect your Microsoft DNS servers below.

The vulnerability is in the RPC interface of Windows DNS, and port 53 is not vulnerable. A properly configured firewall should permit only inbound UDP 53 to the DNS server, and TCP 53 needs to be open only for excessively large DNS records or DNS zone transfers. The RPC interface for Windows DNS resides on a dynamic port between ports 1024 to 5000. Microsoft is suggesting that you block these ports, but it doesn't really tell you how or where to do that, so I'll explain below.

The external firewall should block all ports by default and only permit UDP 53 going to your authoritative DNS server facing the Internet. TCP 53 should not normally be opened unless you have very large DNS records. Targeted openings to TCP 53 can be made for designated servers that need to get zone transfers. This unfortunately doesn't protect you from the internal LAN. For that, you will need to use a host-based firewall, such as the one built into Windows Server 2003.

Once you enable the host-based firewall on Windows Server 2003, you'll need to permit UDP and TCP port 53 on the DNS server. Then only allow incoming ports 1024-5000 from designated management stations that need to manage DNS remotely. You'll also need to open TCP 3389 to your management stations if you want to Remote Desktop into the DNS server. This would be the best interim solution to prevent your DNS server from being hacked and taken over. Even when the patch does become available, you should keep these hardened firewall settings as best practice. Note that if you're using your Active Directory Domain Controller for DNS, you'll need to follow these instructions to open more ports for the Domain Controller to function.

Microsoft also gives the option of using a registry modification, but that simply disables remote management completely. You can't specifically open up that capability to certain management stations. I wouldn't recommend the registry fix, because you don't have fine-grained control over it: Remote DNS management is either on or off. But if you're running Windows 2000 for DNS, your only choice is to implement that registry key, unless you want to install a third-party firewall (there is no host-based firewall in Windows 2000). If you don't want to use the firewalling method and you want to use the registry key, I have a REG file here for you to download. This does mean you won't be able to remotely manage DNS, but you can still do that locally on the console or you can do it via Remote Desktop.  Note that if you want to undo the registry change, you'll have to use regedit and delete the key called RpcProtocol located under HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, DNS, and then Parameters.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

55 comments
Log in or register to join the discussion
  • Missing some good details..

    Last time I checked there was a zero day section...guess you guys are competing or something. Regardless, thanks for the heads up, but you did not post any details besides what is vulnerable.

    [b]"A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

    The vulnerability is caused due to a boundary error in an RPC interface of the DNS service used for remote management of the service. This can be exploited to cause a stack-based buffer overflow via a specially crafted RPC request.

    Successful exploitation allows execution of arbitrary code with SYSTEM privileges.

    NOTE: According to Microsoft, this is already being actively exploited on a limited scale."[/b]

    Quoted from http://secunia.com/advisories/24871/


    Though it is not some major exploit, you should still cover in more detail if you're going to in fact report it.
    Brandon Dixon
    • I guess I figured it was more important to show people how to fix it

      I guess I figured it was more important to show people how to fix it rather than dwell on the issue. Gee, where are my priorities?
      georgeou
  • Bottom Line

    The exploit doesn't affect those who took the time to properly configure their firewall to begin with.

    Once again, MS getting pounded in the press for a vulnerability that is real, however, shouldn't really affect anyone to begin with.
    rkuhn040172@...
    • You shouldn't need a firewall to run a system securely

      You shouldn't need to run a firewall (external or internal) to run a server or desktop securely. A properly configured operating system doesn't run services on *any* ports not *actively* required by the software that the user or administrator is using the computer for. In UNIX services are almost entirely managed by a superserver, and it's trivial to make that superserver bind listening ports to localhost or an inside port only... and the few services that don't run from a superserver have similar configuration parameters because, well, people expect it.

      Microsoft not only doesn't have a superserver (due to flaws in their clone of Berkeley sockets) but they provide no way to configure what ports most services listen on. Instead of a superserver, they have a variety of services (like their RPC implementation) that hook internal components together. But these are complex programs, which not only means they are more likely to have bugs, but also means there are no alternate implementations that take a higher security approach. On top of that, you *can't* disable many of these services if you're a member of a domain.

      So you need a firewall to get the same level of security most other systems give you "out of the box".

      On top of that, Microsoft's networking uses RPC and named pipes where traditional Internet applications use servers and ports, so to get the kind of control that a packet filter firewall gets from limiting access to ports you'd need a firewall that *also* limited access based on the name... but they don't allow you to filter connections down to the "named pipe" level.

      You can't get away from using Windows on the desktop at most companies, but why use it for internet-facing services? Use an OS designed for a hostile environment (trust me, a university network is a hostile environment) not a greenhouse like an isolated office LAN.
      Resuna
      • You're probably right, but...

        ...people should be careful when walking through mine fields too. It may nevertheless be advisable to either avoid the mine field, or to clear it.
        John L. Ries
      • Here we go again with the overreacting.

        Look at the following:

        me@solaris$ ps -ef | grep named
        root 11864 1 0 13:45:21 ? 2:18 /usr/sbin/named

        See that process there? That's the DNS server running on my Solaris 10 system. See the word "root" in that line? That's the process owner. Now take look at the following:

        me@solaris$ /usr/sbin/named -v
        BIND 9.2.4

        And from the ISC org website (http://www.isc.org/index.pl) we have the following:

        SECURITY ADVISORIES

        * CVE-2007-0494
        * CVE-2006-4095
        CERT Vulnerability Note VU#697164
        NISCC 172003

        As you can see Bind 9.2.4 has a few security vulnerabilities that were corrected in later releases (or, as in my case, patched by the vendor).

        So what's my point? UNIX ino less susceptible than Windows.
        ye
        • Speak for yourself buster!

          [i]
          me@solaris$ ps -ef | grep named
          root 11864 1 0 13:45:21 ? 2:18 /usr/sbin/named[/i]

          We don't all do it your way...
          [pre]
          web:~ # ps -ef | grep named
          named 3216 1 0 Apr04 ? 00:00:46 /usr/sbin/named -t /var/lib/named -u named
          [/pre]
          bportlock
          • This is *SUNS* way, not my way.

            This is how the owner of the service as shipped from Sun. Don't like it? Take it up with them. Until such time your whining won't change the fact that there are Solaris systems that have this default configuration.
            ye
          • You mis-understand me...

            [i]"This is how the owner of the service as shipped from Sun. Don't like it? Take it up with them."[/i]

            It's not that I don't like it. I don't care. I don't use Sun.

            What I was pointing out is that you do not speak for all Unixes/Linuxes. Not all *nix systems are the same or have the same defaults.


            [i]"Until such time your whining won't change the fact that there are Solaris systems that have this default configuration."[/i]

            Me? Whining about Solaris? Hahahahahahhaaa!!!!! In your wettest dream perhaps. As I said, they mean NOTHING to me. About the same as Windows.
            bportlock
          • It was done to show no OS is a panacea wrt security.

            People keep bashing Windows as insecure when it fact it is no less secure than the
            alternatives the ABMers push. The same issues are faced by all of them.
            ye
          • Read my post again....

            .... and show me where I bashed Windows. You won't find it.

            [i]"People keep bashing Windows as insecure"[/i]

            Indeed they do but I was bashing YOUR implication that "Solaris is delivered in this state, therefore ALL *nix OSs have the same problem".
            bportlock
          • Please re-read my post and point out where I said "You"

            Clearly I used the word "People". Unless this word has become synonymous with the
            word "you" you've done nothing but build a strawman.
            ye
  • useful...

    The most useful vector for this exploit is adding it to a bot that is already inside a company and using it to grow the attackers influence.
    dmaynor
    • Thanks for being so helpful! :^0

      .
      Hilarious! In other words: "...Here's how to exploit this vulnerability even more effectively by working around Microsoft's recommended counter-measures...". Thanks for being so helpful! :^0


      P.S. I presume you're just being funny and at the same time point out that this is a serious vulnerability that cannot be made "safe" by merely changing the firewall.
      TechExec2
      • No, you're not reading that right

        No, you're not reading that right. The proper counter measures actually protect it on the inside as well.
        georgeou
        • No. Microsoft's recommended countermeasures are a heavy burden

          .
          In order to protect from the internal network attack, system operators must install, configure, and maintain a firewall on every single Windows server. That's a pretty heavy burden. A site with 1,000 Windows servers behind a firewall would have a lot of work to do. Any site that doesn't want to do that will reject Microsoft putting this on them and rightfully demand a fix. For them, Microsoft's countermeasures would be unacceptable. This is Microsoft's failure and Microsoft should fix it.
          TechExec2
  • Zero-day RPC [i]EXPLOIT[/i] in Microsoft DNS

    .
    [b]Zero-day RPC "flaw" in Microsoft DNS? Its a friggen' zero-day [i]EXPLOIT![/i][/b]

    It's patently obvious why you refer to a mere corrected never-exploited vulnerability in Firefox as an "exploit" and a zero-day exploit in a Microsoft product as a "flaw".


    [b]Microsoft Windows is the most unsafe OS on the face of the Earth[/b]

    Microsoft Windows is the most unsafe operating system to run on the face of the Earth. The reason is not just code quality and security. It's also because there are more bad guys trying to break into it. And, there always will be.

    Smart people run something else, just like they choose to make their home and raise their children in a safe neighborhood instead of a crime-ridden one.



    ----------------------------------------

    1) Vulnerability
    http://en.wikipedia.org/wiki/Vulnerability_%28computer_science%29

    (2) Exploit (attack)
    http://en.wikipedia.org/wiki/Exploit_%28computer_security%29

    (3) Malware
    http://en.wikipedia.org/wiki/Malware
    TechExec2
    • Wow dude...

      Settle down there man. Since you seem to hate Microsoft so much why you getting all hot and bothered here?

      The only thing I can guess is that because Windows Server is kicking the crap out of your favorite OS that you must have that "short guy" syndrom and have to lash out or something. Pretty lame, especially given the non-serious nature of this threat.
      BFD
      • So, you disagree? Windows is not the most unsafe OS?

        .
        Diverting attention to me is pretty weak. My post was not about me. But, yours was.

        My post is not about hate. It's simply the truth. Windows is the most unsafe OS on the face of the Earth. And, I've explained why I think so. If you disagree, you should say so and explain why you think so.

        Secondly, my post is pointing out the obvious manipulation of language designed to mislead and misinform people in this blog.

        Thirdly, I run Windows as well as other OSes. I have to run some Windows only because other people do. If they would stop, I could stop. So, I blame YOU! :^0 :^0 :^0
        TechExec2
        • interesting dilema

          "It's also because there are more bad guys trying to break into it. And, there always will be."

          You are correct.

          But then again.....
          "I have to run some Windows only because other people do. If they would stop, I could stop. So, I blame YOU!"

          If everyone stopped, your OS would now be the most unsafe on the planet (not saying it isn't already, I'm just going with your assumptions). Since I know you don't want that... perhaps you should be encouraging everyone to use Windows. ;)
          Badgered