Microsoft Windows SMTP服务可预测DNS查询ID漏洞（MS10-024）

BUGTRAQ ID: 39908
CVE ID: CVE-2010-1689

Microsoft Windows是微软发布的非常流行的操作系统。

Windows系统中的SMTP服务所生成的DNS查询中transaction ID字段值是可预测的：

/-----
4FB5530C
4FB5530C loc_4FB5530C:
4FB5530C mov [esi+3Ch], eax
4FB5530F mov eax, [ebp+arg_8]
4FB55312 mov ecx, ushort gwTransactionId
4FB55318 inc word ptr ushort gwTransactionId
4FB5531F shr eax, 2
4FB55322 not eax
4FB55324 and eax, 1
4FB55327 push eax
4FB55328 push ecx
4FB55329 push [ebp+arg_4]
4FB5532C lea eax, [ebp+hostshort]
4FB5532F push [ebp+lpMultiByteStr]
4FB55332 push eax
4FB55333 push dword ptr [esi+3Ch]
4FB55336 call DnsWriteQuestionToBuffer_UTF8(x,x,x,x,x,x)
4FB5533B test eax, eax
4FB5533D jnz short loc_4FB5537E

• -----/

在4FB55318处用于生成出站DNS查询的查询ID字段的值仅仅是对所发送的新查询进行递增，因此恶意服务器可以相对容易的破解随机数，并通过伪造响应执行中间人等网络欺骗攻击。

Microsoft Exchange Server 2010
Microsoft Exchange Server 2007 SP2
Microsoft Exchange Server 2007 SP1
Microsoft Exchange Server 2003 SP3
Microsoft Exchange Server 2003 SP2
Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2003 SP2
Microsoft Windows 2000 SP4
厂商补丁：

Microsoft

Microsoft已经为此发布了一个安全公告（MS10-024）以及相应补丁:
MS10-024：Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
链接：http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx?pf=true