Microsoft Windows SMTP服务DNS响应字段验证DNS欺骗漏洞(MS10-024)

2010-05-06T00:00:00
ID SSV:19560
Type seebug
Reporter Root
Modified 2010-05-06T00:00:00

Description

BUGTRAQ ID: 39910 CVE ID: CVE-2010-1690

Microsoft Windows是微软发布的非常流行的操作系统。

Windows系统中的SMTP服务没有检查从网络所接收到DNS响应的ID字段值是否实际匹配之前所发送DNS查询报文的ID字段值,恶意服务器可以通过返回伪造的查询响应执行中间人等网络欺骗攻击。

微软通过MS10-024公告中所提供的补丁修复了这个漏洞,但并没有在公告中披露这个漏洞。以下代码段显示的是补丁对 CAsyncDns::ProcessReadIO所添加的验证代码:

/----- 4FB5517F 4FB5517F loc_4FB5517F: 4FB5517F mov ecx, [esi+34h] <-- Transaction ID received from the network 4FB55182 mov dx, [esi+590h] <-- Transaction ID set at "4FB55669: mov [esi+590h], ax" 4FB55189 cmp dx, [ecx] 4FB5518C jz loc_4FB5

  • -----/

由于在CAsyncDns::DnsParseMessage之前调用了CAsyncDns::ProcessReadIO,补丁有效的添加了之前所缺失的对DNS响应中ID值的验证。

Microsoft Exchange Server 2010 Microsoft Exchange Server 2007 SP2 Microsoft Exchange Server 2007 SP1 Microsoft Exchange Server 2003 SP3 Microsoft Exchange Server 2003 SP2 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000 SP4 厂商补丁:

Microsoft

Microsoft已经为此发布了一个安全公告(MS10-024)以及相应补丁: MS10-024:Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx?pf=true