Important vulnerabilities early warning: the Windows DNS client in the broke multiple heap buffer overflow flaws vulnerabilities in bug-bug warning-the black bar safety net

Microsoft has in the 2017 year 10 months official fix for the vulnerability CVE-2017-11779, the vulnerability includes the Windows DNS client in the plurality of memory corruption vulnerabilities, running Windows 8/Server 2012 and an updated version ofOSthe computer will be affected by this problem, the attacker will be able to through a malicious DNS response to trigger these vulnerabilities. In this vulnerability with the help of the attacker will be able to send DNS requests to the application procedures to achieve arbitrary command execution.

This also means that if an attacker can control your DNS server, for example, by the middle attack or a malicious WiFi hotspots, then they will be able to get your system access rights. Affected by the problem impact not just your Web browser, because your computer system in the background constantly sending a DNS query request, and the attacker only needs to respond to the user’s query can trigger these vulnerabilities and implement attacks.

Researchers following this video on Vulnerability, CVE-2017-11779 for a simple introduction, if you want to know more technical details, please continue reading this article.

Vulnerability flaws bug overview
In Windows 8/Windows Server 2012 systems, Microsoft Windows DNS client to expand the DNSSEC support, the coherent code exists in the KEPT. the dll file. This in an introduction to support DNSSEC DNS capital records（RRs）for the NSEC3 records, the information from the Nsec3_RecordRead function hard to dispose of.
CVE-2017-11779 contains a vulnerability flaws bug with Nsec3_RecordRead function is irrelevant because the function of the frustration of network security to analyze NSEC3 RRs, and further lead to a multi-write cross-border achievements. The application KEPT. dll file of the same usually is DnsCache. 该办事的运转依赖于svchost.exe and be able to perhaps give the Windows System a DNS client supplied DNS cache work. In addition, while many of the rest of the necessary sending a DNS question to beg of the app will also introduce the work.
Necessary to pay attention to is, because this history is the presence of network security achievements, is it supposed to be helpless through the process of any disorders of the DNS parser. Being such as to be as long as when the target user indirectly from the invasion of the attacker the control of the Office of the controller receiving a DNS appropriate cases, these vulnerabilities are flaws bug only able to be triggered. The same usual, here is the necessary intrusion of the attacker to complete automatically the middleman invasion attack.
This article is important related to the presence of the vulnerability. the bug of DNS records-NSEC3 AND NSEC3 records important to sponsor a DNS parser to identify the recorded name and verifies DNSSEC validity.
Vulnerability flaws bug reports
When you look at the pages, listen to music and perhaps what not to do of time, your PC are YAP sends a DNS begging for. In addition, the similar detection Windows System Update backing the motion strange will also be sent this pleading to. The vast majority of cases, the application program in the sending of this pleading is not indirect view to the corresponding data, because the appropriate content is necessary first to reach the DNS cache do and store up for subsequent Applications, This feature can be sponsored system cuts sends a DNS pleadingly number of times.
DNS is a plaintext agreements, and helpless to resist the middleman invasion attack. Just because this particular temper to is Microsoft introduced DNSSEC（the domain network. to expand. This expansion introduced a variety of new DNS records, and be able to perhaps to the DNS client and Controller communications for more information. DNSSEC the goal is to quiz test check in some existing network security achievements, but you are able to ever guessed, it presents also brings a New of network security achievements.
Microsoft Windows 8 and Server 2012 and after the manipulation of the system version for DNSSEC-added a client-efficacy, along with all the way of another variety of the new DNS records. However this effect there is a presence of the vulnerability. the bug of DNS records, i.e., NSEC3 is. When the Windows DNS client in the disposition contains the NSEC3 records in the DNS phase, it actually not not stop the necessary data filtering or washing it. Vicious thoughts of NSEC3 records will be able to perhaps trigger this vulnerability flaws bug, and lead to a DNS client-side rendering memory collapse results. If the invasion of the attacker tricks plenty good, they even can also be in the target system to complete the casual rate of the code to fulfill.
Because this described their own vicious thoughts, is it helpless through the process of disorders of the DNS system. Office of the controller upon receiving such a record will be indirectly abandoned, because it does not meet the NSEC3 record of the standard specifications. So, if the invasion of the attacker want to apply the vulnerability flaws bugs implementation of intrusion attacks while their status must be in the target user and the DNS-do Controller between the middleman invasion. For example, you now use the coffee shop WiFi on the dice, and then or who want for you to implement intrusion attacks, if they can hack into your router, then they can maybe change you the received DNS accordingly.
Affected the system and how to fix the score
From Windows 8/Windows Server 2012 to Windows 10/Windows Server 2016 all versions of the WIndows manipulating systems YAP by these vulnerabilities flaws bug the effects, but Windows 8 before manipulation of the system not affected by this.
If your figuring machine to manipulate the system version is the system of this in the words of one of the We initiative to the user immediately means Microsoft in 2017, the 10 month announcement of the network security updates patch it.
Tips details
KEPT. dll in the three heap buffer overflow vulnerability flaws bug can be via the process of a vicious thoughts of the DNS-do or middle man invasion of the attack to trigger, namely sending vicious thoughts of the situation of the NSEC3 record corresponding（RR to the DNS begging to be accordingly. 研究人员这次阐发的是DNSAPI.dll v6. 3. 9600. 18512 (x86, Windows 8.1), the results also once in v10. 0. 14393. 206 (x64, Windows 10)has been confirmed.
Buffer space assigned
Nsec3_RecordRead function hard via the process of appropriating KEPT! DNS_AllocateRecordEx for NSEC3 corresponding to the data assigned the target buffer destbuf, the destbuf’s dispatch giant is by a 16-bit under User Control Data length field moderation, that is a DNS capital described in the common data domain. Via process changes the data length of the field, the invasion of the attacker will be able to perhaps moderation destbuf of the giant, and then stop the cross-border reader intrusion attack.
The figure below is a WireShark capture of a NSEC3 capital records, the top blue sector mark is the length of the data field:
! [](/Article/UploadPic/2017-10/20171012162910701. png? www. myhack58. com)
KEPT can from Dns_ReadRecordStructureFromPacket function to get to this value, and then Nsec3_RecordRead function will be based on this value to the resolution of buffer space assigned giant is.
A heap buffer overflow vulnerability flaws bug #1-NSEC3 Salt_Length
The first heap buffer overflow vulnerability flaws bug in KEPT! Nsec3_RecordRead+0xB9, here it will be the user supply the 8-bit Salt Length value as the memcpy copy size to. In our elucidating the NSEC3 capital describes the sample, the NSEC3 Salt Length value in the status as shown below:
! [](/Article/UploadPic/2017-10/20171012162931118. png? www. myhack58. com)
If the intrusion the attacker can perhaps moderation NSEC3 Salt Length of the giant, and make it across the destbuf of the giant, then the invasion of the attacker will be able to perhaps apply this heap buffer overflow vulnerability flaws bug to complete out of bounds write to manipulate.

[1] [2] [3] next