Microsoft Windows SMTP服务可预测DNS查询ID漏洞(MS10-024)

2010-05-06T00:00:00
ID SSV:19559
Type seebug
Reporter Root
Modified 2010-05-06T00:00:00

Description

BUGTRAQ ID: 39908 CVE ID: CVE-2010-1689

Microsoft Windows是微软发布的非常流行的操作系统。

Windows系统中的SMTP服务所生成的DNS查询中transaction ID字段值是可预测的:

/----- 4FB5530C 4FB5530C loc_4FB5530C: 4FB5530C mov [esi+3Ch], eax 4FB5530F mov eax, [ebp+arg_8] 4FB55312 mov ecx, ushort gwTransactionId 4FB55318 inc word ptr ushort gwTransactionId 4FB5531F shr eax, 2 4FB55322 not eax 4FB55324 and eax, 1 4FB55327 push eax 4FB55328 push ecx 4FB55329 push [ebp+arg_4] 4FB5532C lea eax, [ebp+hostshort] 4FB5532F push [ebp+lpMultiByteStr] 4FB55332 push eax 4FB55333 push dword ptr [esi+3Ch] 4FB55336 call DnsWriteQuestionToBuffer_UTF8(x,x,x,x,x,x) 4FB5533B test eax, eax 4FB5533D jnz short loc_4FB5537E

  • -----/

在4FB55318处用于生成出站DNS查询的查询ID字段的值仅仅是对所发送的新查询进行递增,因此恶意服务器可以相对容易的破解随机数,并通过伪造响应执行中间人等网络欺骗攻击。

Microsoft Exchange Server 2010 Microsoft Exchange Server 2007 SP2 Microsoft Exchange Server 2007 SP1 Microsoft Exchange Server 2003 SP3 Microsoft Exchange Server 2003 SP2 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000 SP4 厂商补丁:

Microsoft

Microsoft已经为此发布了一个安全公告(MS10-024)以及相应补丁: MS10-024:Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx?pf=true