Cybersecurity researchers today revealed a highly critical new “critical” vulnerability, with a severity score of 10 out of 10 on the CVSS scale, affecting versions of Windows Server 2003 to 2019.
The 17-year remote code execution error (CVE-2020-1350), named ‘SigRed‘By Check Point, it could allow an unauthenticated remote attacker to gain domain administrator privileges over specific servers and take complete control of an organization’s IT infrastructure.
A threat actor can exploit the SigRed vulnerability by sending malicious DNS queries created to a Windows DNS server and achieving arbitrary code execution, allowing the hacker to intercept and manipulate the emails and network traffic of users, causing services not available, get user credentials and more.
In a detailed report shared with The Hacker News, the Check Point researcher Sagi Tzadik confirmed that the flaw is wormable in nature, allowing attackers to launch an attack that can spread from one vulnerable computer to another without human interaction.
“A single exploit can initiate a chain reaction that allows attacks to spread from one vulnerable machine to another without requiring any human interaction,” said the researcher.
“This means that a single compromised machine could be a ‘super-broadcaster’, allowing the attack to spread across the organization’s network within minutes of the first exploit.”
After the cyber security company responsibly disclosed its findings to Microsoft, the Windows maker prepared a patch for the vulnerability and rolled it out as of today as part of its July patch Tuesday, which also includes security updates. for 122 other vulnerabilities, with a total of 18 failures listed as critical and 105 as important in severity.
Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and advised users to install patches immediately.
“Windows DNS Server is a core component of the network. Although this vulnerability is currently unknown for use in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Microsoft said.
Elaboration of malicious DNS responses
Claiming that the goal was to identify a vulnerability that would allow an unauthenticated attacker to compromise a Windows domain environment, Check Point researchers said they focused on Windows DNS, specifically looking closely at how a DNS server parses a query. incoming or reply to a forwarded query
A forwarded query occurs when a DNS server cannot resolve the IP address of a certain domain name (for example, www.google.com), causing the query to be forwarded to an authorized DNS name server (NS).
To exploit this architecture, SigRed involves configuring a domain’s NS resource records (“deadbeef.fun”) to point to a malicious name server (“ns1.41414141.club”) and query the domain of the destination DNS server to have the latter it analyzes the name server responses for all subsequent queries related to the domain or its subdomains.
With this setting, an attacker can trigger an integer overflow failure in the function that parses incoming responses to forwarded queries (“dns.exe! SigWireRead”) to send a DNS response containing a GIS resource record greater than 64 KB and induce a “Controlled heap-based buffer overflow of approximately 64 KB over a small allocated buffer.”
In other words; the failure addresses the function responsible for allocating memory for the resource record (“RR_AllocateEx”) to generate a result greater than 65,535 bytes to cause an integer overflow leading to a much smaller allocation than expected.
But with a single DNS message limited to 512 bytes in UDP (or 4,096 bytes if the server supports extension mechanisms) and 65,535 bytes in TCP, the researchers found that a GIS response with a long signature alone was not enough to trigger the vulnerability.
To accomplish this, the attack cleverly exploits the compression of the DNS name in DNS responses to create a buffer overflow using the technique mentioned above to increase the size of the allocation by a significant amount.
Remote exploitation of the fault
Thats not all. SigRed can be remotely activated via a browser in limited scenarios (for example, Internet Explorer and non-Chromium-based Microsoft Edge browsers), allowing an attacker to abuse the support of Windows DNS servers for Connection reuse and query pipeline features to “smuggle” a DNS query within an HTTP request load to a destination DNS server when visiting a website under its control.
Additionally, the bug can be further exploited to filter out memory addresses by corrupting metadata from a DNS resource record and even achieve write capabilities anywhere, allowing an adversary to hijack the flow of execution and cause it to execute instructions. unwished.
Surprisingly, DNS clients (“dnsapi.dll”) are not susceptible to the same error, leading researchers to suspect that “Microsoft manages two completely different code bases for the DNS server and DNS client, and does not sync patches of mistakes between them. “
Given the severity of the vulnerability and the high potential for active exploitation, it is recommended that users patch their affected Windows DNS servers to mitigate the risk.
As a workaround, the maximum length of a DNS (over TCP) message can be set to “0xFF00” to eliminate the chances of a buffer overflow:
reg adds “HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services DNS Parameters” / v “TcpReceivePacketSize” / t REG_DWORD / d 0xFF00 / f net stop DNS && net start DNS
“A DNS server violation is a very serious thing. Most of the time, it puts the attacker within an inch of the organization-wide violation. There are only a handful of these types of vulnerabilities that have been released,” said Omri Herscovici from Check Point to The Hacker. News.
“All organizations, large or small, that use Microsoft’s infrastructure are at great security risk if they are not repaired. The risk would be a complete violation of the entire corporate network.”
.
