04.15.07

The DNS Vuln

Posted in Exploits, IT, Security, Vulnerabilities at 4:49 pm by Tyler Reguly

It's amazing how quickly the community can respond... In the past 24 hours I've seen exploits from three sources for this vulnerability. We've got an exploit for metasploit, an exploit written in python and one written in C. (I considered whether or not I'd link to these but since they're all publicly available... I might as well). Here are a couple images of the exploit.

Exploit executed in Metasploit:

Looking at the process on the vulnerable box:

So here's the information we've got from all the various sources:

• The vulnerable function is: extractQuotedChar()
• This function is reached via:
  • Interface: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0
  • Operation: DnssrvQuery
  • OpCode: 0x01
• The attack can be performed anonymously against the listening RPC Interface (a TCP port between 1024 and 5000).
• The attack can also be performed with credentials against port 445.
• Original Attacks: April 4th and 5th against two US Universities
• Original Attack Details (Source):
  • Shellcode binds to TCP port 1100.
  • Attacker uploads a VBscript on this port and then runs it.
  • VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/.
  • Executable is self-extracting and contains PWDUMP v5 and an associated DLL.
• Microsoft Advisory (Including mitigation information)
• Mitigation: How to script the mitigation technique across an entire domain.

Now I guess the question remains, "Will we see an Out-of-Band Update to fix this issue?"

It's an interesting question because the views are so varied on the seriousness of this issue. An example of this debate is this thread on the dns-operations mailing list.

So it's fair to assume that this won't be a HUGE issue... as others have said this won't be Slammer or Code Red. That doesn't mean this isn't a serious issue. I also question the flawed logic I've seen, on various discussion boards, mailing lists and even in conversations with friends, on who this will affect and why this would "only affect idiots".

I think the people making these assumptions are from corporate environments and the actual IS industry... They're forgetting about small and medium businesses. I think this has much more serious consequences in the SMB environment. Let's think about the number of SMBs out there... how many of these businesses have purchased SBS Server and popped it into their network. SBS is a security nightmare... all of your services on your domain controller, including Exchange, and them telling the user to place it live on the internet. I've walked into environments where the SBS is plugged into a Linksys router and that router is plugged into the internet connection. One might think, "Well the router will filter the affected ports"... right and wrong. The environments I've seen have been too lazy (or lacked the knowledge) to properly configure the router and setup forwarded ports for things like Exchange. Instead they've simply put the SBS on the DMZ, opening it up to the world... and to vulnerabilities such as this one.

So I am concerned by this... should someone decide to create a worm, that's a large number of zombied computers that they could have... A growing botnet based on insecure SMBs. It may not be an extraordinary number of computers but it would be substantial. I'd wager a guess that given a) the number of businesses that have slapped a setup together and b) the number of businesses that have relied on "on-site computer service professionals" that there are a large number of vulnerable computers sitting and waiting to be exploited.

Do I think this will ever be turned into a worm? Nope. Do I think this is serious and dangerous? You bet. I guess only time will tell.

Permalink