Windows DNS Server code execution hole under attack

Windows DNS Server code execution hole under attack

Summary: An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.

SHARE:
7

An zero-day vulnerability in the DNS server service in Windows is under attack, Microsoft warned in a security advisory.

The "limited attacks" are exploiting a stack overflow error in the Windows Domain Name System (DNS) Server's RPC interface implementation when processing malformed requests sent to a port between 1024 and 5000.

The flaw allows remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending a specially crafted request to a vulnerable system. 

Affected Windows versions include:
  • Windows 2000 Server Service Pack 4
  • Windows Server 2003 Service Pack 1
  • Windows Server 2003 Service Pack 2.

Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

In its pre-patch advisory, Microsoft has issued the following recommendations:

  • Disable remote management over RPC capability for DNS Servers via a registry key setting.  Instructions are available in "suggested actions" section of the advisory.
  • Block all unsolicited inbound traffic on ports between 1024 to 5000.  Because the RPC interface of Windows DNS is bound to a port in this range, locking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.  (George Ou has more on this, including instructions on firewall filtering).
  • Enable advanced TCP/IP filtering on systems to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Knowledge Base article 309798.
  • Block the affected ports 1024 to 5000 by using IPsec on the affected systems. Detailed information about IPsec and about how to apply filters is available in Knowledge Base article 313190 and Knowledge Base article 813878.

I have not seen public exploit code at any of the usual research Web sites but, as this issue escalates (as it surely will), proof-of-concepts will be made available. 

Also see advisories from the MSRC blog, Secunia, FrSIRT and the SANS Internet Storm CenterTechmeme discussion.

Topics: Servers, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Oh my , what next ?

    Maybe it's high time to pull the plug on Microsoft products until this gets fixed . Then again why should I care , I'm protected .
    Intellihence
    • You're not really protected

      This flaw is perfect for the botnet guys responsible for all that spam in your inbox.

      _r
      Ryan Naraine
      • What spam?

        I see maybe 3-5 spams a month. And I have had the same e-mail since 1998. ]:)

        Okay yes I know spam is a problem, but it can be avoided and alleviated. I have several e-mails, but the one I have had since 1998 and still use to this day (just got some cool new music from my buds band!) never gets used or published for online transactions. That is what GMail and Yahoo mail are for. That and way back when I understood that using something that could be discovered by using a dictionary scan was a bad idea.

        I taught my clients this technique and my family as well. And we don't see very much spam and when we do... it's rather a surprise that one got to us. So I am protected, in more ways than one. ]:)
        Linux User 147560
        • The costs

          Yes, but there is a cost to filter/control the spam barrage. A real, growing financial cost. These flaws add to an ecosystem problem that isn't limited to Windows.

          _r
          Ryan Naraine
  • Ouch

    This is a biggie. I see an out of cycle patch in my crystal ball.
    toadlife
    • The firewall hardening measures are enough

      The firewall hardening measures are enough that you don't need an out-of-band patch. The hardening measures should be run anyways regardless of the vulnerability. It's not worth doing an emergency patch when there is an effective and practical workaround. I can't say the same for those Office exploits where the only "work-around" is to avoid opening infected files.
      georgeou
      • Office Documents

        How do you know whether or not a file is infected unless you open it first?

        There *IS* a work-around to the Office expoits which is 100% effective: don't use Office.
        fde101