The vulnerability exists due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled. Specifically, sending a DNS response with a SIG record over 64KB can “cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer,” the team says.
“If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling the hacker to take control of the server and making it possible for them to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and more,” Check Point says.
As the service runs in elevated privileges, if it is compromised, an attacker is also granted Domain Administrator rights. In limited scenarios, the vulnerability can be triggered remotely through browser sessions.
As you probably know, DNS is short for Domain Name System, and it’s a distributed, global database that converts human-friendly computer names such as nakedsecurity.sophos.com into network numbers that computers can use, such as 192.0.66.200. (At least, that’s what the name-to-number mapping was for us at 2020-07-15T12:00Z.)
Loosely speaking, there are two broad classes of DNS software: clients that send out requests asking questions such as “where is nakedsecurity to be found?”, and servers that work out the answers to those requests and send back the responses.
Interestingly, the CVE-2020-1350 bug exists in a part of the Windows DNS software that listens for DNS responses coming back, rather than in the part that listens for DNS questions sent out the first place.
In other words, you’re probably thinking that this bug would have to be in the client code, and would, therefore, affect every Windows computer on the network – after all, DNS servers are there to receive requests, while it’s DNS clients that receive responses.
But DNS servers often need to perform client-like functions, for example by passing on requests that they can’t answer themselves to other servers that can, reading in the replies and reformatting them to reply to the original client request that came in.
So many, if not most, DNS servers – including the Windows DNS server – have code built into them that not only listens for requests but also processes responses from other servers.
This bug, according to the Check Point researchers who discovered it, is unique to the Windows DNS server software (dns.exe) because the Windows DNS server and client programs don’t seem to share any code. READ MORE…
Thanks For Visiting.
