exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SNI-05.WINNT_DNS.advisory

SNI-05.WINNT_DNS.advisory
Posted Sep 23, 1999

WINNT DNS advisory.

systems | windows
SHA-256 | f8c6bdff7b1d5fa8e698680dec95c56aead8294d4040dd35d7e5236d7499f14c

SNI-05.WINNT_DNS.advisory

Change Mirror Download

###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.

Secure Networks Inc.

Security Advisory
January 26, 1997

Denial of Service attack against Windows NT DNS servers

While doing research and testing for our upcoming security auditing
package we became aware of a problem in the Microsoft DNS server
distributed with Windows NT version 4.0.

The Problem:
~~~~~~~~~~~

Microsoft DNS service terminates abnormally when it recieves a
response to a DNS query that was never made.

Impact:
~~~~~~
Remote users can cause a denial of DNS service.

Details:

When this unexpected response packet is recieved dns.exe exits
saying (on my machine) :

'The instruction at "0x77f6748f" referenced memort at "0x0000000c"
The memory could not be "written"'

If I choose to debug at this point I get to discover that the command
it crashes on is :

77f6748f inc dword ptr [edx+04]


The format of a DNS packet is as follows: (taken from rfc-1035)

1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ID |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR| Opcode |AA|TC|RD|RA| Z | RCODE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| QDCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ANCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| NSCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ARCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

where applicable fields are:

ID A 16 bit identifier assigned by the program that
generates any kind of query. This identifier is copied
the corresponding reply and can be used by the requester
to match up replies to outstanding queries.

QR A one bit field that specifies whether this message is a
query (0), or a response (1).

While parsing the newly arrived packet, DNS.exe discovers that
instead of the expected bit that indicates that this is a query packet
this is in fact a response packet, one that it didn't ask for.
DNS will promptly crash.

More specifically, DNS will crash when QR is set true in the DNS Query.

This problem does not appear to be exploitable as anything other
than a denial of service.


Fix Information:

1. Service Pack 3 - due out this quarter will contain a fix.
2. Run your DNS service on a different platform

Systems Affected:
~~~~~~~~~~~~~~~~

Microsoft Windows NT systems running the Microsoft DNS service.

WinNT 4 - Server
Vulnerable

WinNT 4 - Workstation
No DNS service ships with WinNT Workstation

WinNT 3.51 - Server
DNS does not ship with WinNT 3.51

WinNT 3.51 - Workstation
DNS does not ship with WinNT 3.51


Attributions:
~~~~~~~~~~~~~
- Jim Kelly <jimk@microsoft.com> at Microsoft for his prompt
attention to this matter.

Additional Information:
~~~~~~~~~~~~~~~~~~~~~~
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
You can find Secure Networks advisories at ftp://ftp.secnet.com/pub/advisories
You can browse our web site at http://www.secnet.com/ and not have to remember long pathnames.

You can contact the author of this advisory at jwilkins@secnet.com
My PGP Key is :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 4.5

mQCNAi4vYzUAAAEEAMyO8P55B4bpCEe1xjIOdTQWiW3CSEjzTcHDFnW4Yoz0/zAI
d+3gNJVYxzhmvywNh6NQhxg1Agob8Xu7n5MnlUHt8TyK6qw0PJ539G3+kqaPrWmo
C6utR1iXzPQdu1jJ8xAf/FC4WD1oEhifNf75UlQZHXHiPTbJAbTl3s+VYMi5AAUR
tClKb25hdGhhbiBQLiBXaWxraW5zIDxqd2lsa2luc0BzZWNuZXQuY29tPg==
=dXkL
-----END PGP PUBLIC KEY BLOCK-----


RFC's (Request for Comments) are available at
http://ds.internic.net/rfc/
the DNS RFC is
http://ds.internic.net/rfc/rfc1035.txt
and was written by P. Mockapetris


Copyright Notice:
~~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc.
and may be distributed freely provided that no fee is charged for this
distribution, and proper credit is given.

Windows NT and WinNT are trademarks of Microsoft.


-----BEGIN PGP SIGNATURE-----
Version: 4.5

iQCVAgUBMuvaw7Tl3s+VYMi5AQFu6gP/bBjc9ZMy6JhlbeqvlrSmdrrMvmQ8txE8
rlD/lYQAw0FUtAwHfCiNBkwHkup9vzsCVgqg0c8OzzNrLevAIfc4ZdsYZlTCRJcB
pcYSj819sRxdbBR4qZh1kov/IH6bvTGePjo6Efsh4zyP/KfnV1VB+vklb9Z4Z5Bz
rOaT4fajfJc=
=rwm2
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close