Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
1644 views 
Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.
Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.
DNS vuln. now exploitable over port 445
From : Microsoft
We have today made some new additions to the advisory. We’ve added some new information about the impact of some of the workarounds on systems with 15 character, or longer, system names. We’ve also noted that it is possible for a user with valid logon credentials to access the vulnerability over port 445. As always, we’re continuing to work around the clock to monitor the situation closely, continue our technical investigations and develop a security update to address this issue.
Exploit code for DNS exploit on 445
Microsoft DNS Server Remote Code execution Exploit and analysis. This remote exploit works against port 445 (also Microsoft RPC api used)
Author:
* Mario Ballano && Andres Tarasco
1. http://www.514.es/Microsoft_Dns_Server_Exploit.zip
2. http://www.48bits.com/exploits/dnsxpl.rar
3. http://www.milw0rm.com/sploits/04152007-dnsxpl.rar
Exploits for Windows Server DNS flaw released
Although a Metasploit module has been released, and other code is available on exploit sites such as Milw0rm, attacks are few because the DNS server is generally not publicly facing, according to Ken Dunham, director of the Rapid Response Team at VeriSign iDefense.
Dunham said in a Saturday email that intranets have the greatest risk of exploitation.
"It is feasible that a bot may (spread through an intranet) to exploit vulnerable computers within the network to help it spread," he said. "For example, a bot may be programmed to spread through the recent ANI exploit to infect clients with bots and then use the zombie to exploit DNS RPS against the local domain controller to gain complete control over the entire network."
Microsoft updated its advisory on Sunday, noting that attackers can access the vulnerability over port 445 if they have valid login credentials.
-- via SC Magazine
Metasploit DNS Exploit Released
More details - Metasploit DNS exploit
super(update_info(info,'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow',
'Description' => %q{
This module exploits a stack overflow in the RPC interface
of the Microsoft DNS service. The vulnerability is triggered when
a long zone name is supplied that contains escaped characters. This
exploit will NOT work on Windows 2003 SP1 or SP2 if hardware DEP is
enabled.
},
Turn off RPC management of DNS on all DCs
Details on Jesper Blog
Microsoft recommends you mitigate the problem by disabling RPC management on DNS. They give the switch to do that, but no script to do it on a large number of DCs or DNS servers.
Here is how you do it on scale:
1. Generate a list of all your DCs or DNS servers. Put it in a file called DCList.txt. You can generate this list by right-clicking the Domain Controllers OU and selecting "Export List..." If you have a more complicated list write a query to get them. Below I show how to do that.
2. Log on as an Enterprise Admin (or a domain admin if you only have one domain)
3. Run this command in the directory where you put the DCList.txt file
for /f %i in (DCList.txt) do reg add \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /t REG_DWORD /d 4That's will change the setting. To set it back to the original you would run this command instead:
for /f %i in (DCList.txt) do reg delete \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /fBoth changes require you to stop and restart the DNS service. You can use these commands for that:
for /f %i in (DCList.txt) do sc \\%i stop DNSfor /f %i in (DCList.txt) do sc \\%i start DNS
Post new comment