Critical DNS Bug Opens Windows Servers to Infrastructure Takeover

A critical Microsoft Windows Server bug opens company networks to hackers, allowing them to potentially seize control of IT infrastructures. Microsoft issued a patch for the bug on Tuesday as part of its July Patch Tuesday roundup.

It turns out that the bug is 17 years old. Impacted are Windows Server versions from 2003-2019. The bug, found by researchers at Check Point, received a severity warning of 10 – the highest allowed. Most concerning to researchers however is that the bug is wormable, meaning a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another.

“[The] security flaw would enable a hacker to craft malicious DNS queries to the Windows DNS server, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure,” according to Check Point researcher Sagi Tzaik, who is credited for finding the flaw.

Microsoft released a patch for the vulnerability, identified as CVE-2020-1350, and urged customers to prioritize an update to their systems. Check Point is calling the bug SigRed – a nod to the vulnerable DNS component and function “dns.exe”.

A hacker can gain Domain Administrator rights over the server, “enabling the hacker to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and more. In effect, the hacker could seize complete control of a corporation’s IT,” researchers wrote, in a technical analysis of the bug, posted Tuesday.

Patching Is an Imperative

Upping the chance for exploitation by a hacker is the relatively simple prerequisites needed to exploit the vulnerability. “The likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources,” researchers noted.

“This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected,” Microsoft wrote in a post Tuesday. “While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.”

Mechele Gruhn, principal security PM manager at the Microsoft Security Response Center, noted that “if applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server. The update and the workaround are both detailed in CVE-2020-1350.”

“CVE-2020-1350, a wormable remote code execution vulnerability in Windows DNS Server, could very well be the most critical Windows vulnerability released this year, receiving a rare 10 out of 10 CVSS score,” Chris Hass, director of information security and research at Automox, told Threatpost.

“A wormable vulnerability like this is an attacker’s dream. An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the local system account. Not only will the attacker have full control of the system, but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya,” Hass said.

Exploiting a 17-Year-Old Bug

The flaw itself is an integer-overflow bug that can trigger a heap-based buffer overflow attack tied to the DNS module called dns.exe, which is responsible for answering DNS queries on Windows Servers.

By abusing the dns.exe module, two attack surfaces were created by researchers. One is a “bug in the way the DNS server parses an incoming query.” And the second is “a bug in the way the DNS server parses a response (answer) for a forwarded query.”

The attack requires researchers to first force a Windows DNS Server to parse responses from a malicious DNS NameServer. This employs the dns.exe module, which parses all supported response types. One of those supported response types is for a Secure Internet Access (SIG) query called SIG(O). Researchers focused their attention on creating a request that exceeded the maximum size request of 65,535 bytes, and causing the overflow. By using compressed data, researcher were able to create a successful crash.

“Although it seems that we crashed because we were trying to write values to unmapped memory, the heap can be shaped in a way that allows us to overwrite some meaningful values,” they wrote.

This local attack then was replicated remotely, by “smuggling DNS inside HTTP” requests on Microsoft Explorer and Microsoft Edge browsers (Google Chrome and Firefox are not vulnerable to this type of attack). Because DNS can be transported over TCP — and Windows DNS Server supports this connection type – researchers were able to craft a HTTP payload.

“Even though this is an HTTP payload, sending it to our target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query,” they wrote. Researchers were able to circumvent HTTP protections against similar malicious HTTP payloads by “smuggling” DNS query data inside the POST data located in the HTTP request.

Chromium-class browsers (Google Chrome and Mozilla Firefox) do not allow HTTP requests to port 53, therefore the bug can only be exploited Internet Explorer and Microsoft Edge.

“Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some internet service providers (ISPs) may even have set up their public DNS servers as WinDNS,” Check Point wrote.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.