WINNT DNS advisory.
f8c6bdff7b1d5fa8e698680dec95c56aead8294d4040dd35d7e5236d7499f14c
###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
Security Advisory
January 26, 1997
Denial of Service attack against Windows NT DNS servers
While doing research and testing for our upcoming security auditing
package we became aware of a problem in the Microsoft DNS server
distributed with Windows NT version 4.0.
The Problem:
~~~~~~~~~~~
Microsoft DNS service terminates abnormally when it recieves a
response to a DNS query that was never made.
Impact:
~~~~~~
Remote users can cause a denial of DNS service.
Details:
When this unexpected response packet is recieved dns.exe exits
saying (on my machine) :
'The instruction at "0x77f6748f" referenced memort at "0x0000000c"
The memory could not be "written"'
If I choose to debug at this point I get to discover that the command
it crashes on is :
77f6748f inc dword ptr [edx+04]
The format of a DNS packet is as follows: (taken from rfc-1035)
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ID |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR| Opcode |AA|TC|RD|RA| Z | RCODE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| QDCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ANCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| NSCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ARCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where applicable fields are:
ID A 16 bit identifier assigned by the program that
generates any kind of query. This identifier is copied
the corresponding reply and can be used by the requester
to match up replies to outstanding queries.
QR A one bit field that specifies whether this message is a
query (0), or a response (1).
While parsing the newly arrived packet, DNS.exe discovers that
instead of the expected bit that indicates that this is a query packet
this is in fact a response packet, one that it didn't ask for.
DNS will promptly crash.
More specifically, DNS will crash when QR is set true in the DNS Query.
This problem does not appear to be exploitable as anything other
than a denial of service.
Fix Information:
1. Service Pack 3 - due out this quarter will contain a fix.
2. Run your DNS service on a different platform
Systems Affected:
~~~~~~~~~~~~~~~~
Microsoft Windows NT systems running the Microsoft DNS service.
WinNT 4 - Server
Vulnerable
WinNT 4 - Workstation
No DNS service ships with WinNT Workstation
WinNT 3.51 - Server
DNS does not ship with WinNT 3.51
WinNT 3.51 - Workstation
DNS does not ship with WinNT 3.51
Attributions:
~~~~~~~~~~~~~
- Jim Kelly <jimk@microsoft.com> at Microsoft for his prompt
attention to this matter.
Additional Information:
~~~~~~~~~~~~~~~~~~~~~~
You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
You can find Secure Networks advisories at ftp://ftp.secnet.com/pub/advisories
You can browse our web site at http://www.secnet.com/ and not have to remember long pathnames.
You can contact the author of this advisory at jwilkins@secnet.com
My PGP Key is :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 4.5
mQCNAi4vYzUAAAEEAMyO8P55B4bpCEe1xjIOdTQWiW3CSEjzTcHDFnW4Yoz0/zAI
d+3gNJVYxzhmvywNh6NQhxg1Agob8Xu7n5MnlUHt8TyK6qw0PJ539G3+kqaPrWmo
C6utR1iXzPQdu1jJ8xAf/FC4WD1oEhifNf75UlQZHXHiPTbJAbTl3s+VYMi5AAUR
tClKb25hdGhhbiBQLiBXaWxraW5zIDxqd2lsa2luc0BzZWNuZXQuY29tPg==
=dXkL
-----END PGP PUBLIC KEY BLOCK-----
RFC's (Request for Comments) are available at
http://ds.internic.net/rfc/
the DNS RFC is
http://ds.internic.net/rfc/rfc1035.txt
and was written by P. Mockapetris
Copyright Notice:
~~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc.
and may be distributed freely provided that no fee is charged for this
distribution, and proper credit is given.
Windows NT and WinNT are trademarks of Microsoft.
-----BEGIN PGP SIGNATURE-----
Version: 4.5
iQCVAgUBMuvaw7Tl3s+VYMi5AQFu6gP/bBjc9ZMy6JhlbeqvlrSmdrrMvmQ8txE8
rlD/lYQAw0FUtAwHfCiNBkwHkup9vzsCVgqg0c8OzzNrLevAIfc4ZdsYZlTCRJcB
pcYSj819sRxdbBR4qZh1kov/IH6bvTGePjo6Efsh4zyP/KfnV1VB+vklb9Z4Z5Bz
rOaT4fajfJc=
=rwm2
-----END PGP SIGNATURE-----