###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory January 26, 1997 Denial of Service attack against Windows NT DNS servers While doing research and testing for our upcoming security auditing package we became aware of a problem in the Microsoft DNS server distributed with Windows NT version 4.0. The Problem: ~~~~~~~~~~~ Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Impact: ~~~~~~ Remote users can cause a denial of DNS service. Details: When this unexpected response packet is recieved dns.exe exits saying (on my machine) : 'The instruction at "0x77f6748f" referenced memort at "0x0000000c" The memory could not be "written"' If I choose to debug at this point I get to discover that the command it crashes on is : 77f6748f inc dword ptr [edx+04] The format of a DNS packet is as follows: (taken from rfc-1035) 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ where applicable fields are: ID A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied the corresponding reply and can be used by the requester to match up replies to outstanding queries. QR A one bit field that specifies whether this message is a query (0), or a response (1). While parsing the newly arrived packet, DNS.exe discovers that instead of the expected bit that indicates that this is a query packet this is in fact a response packet, one that it didn't ask for. DNS will promptly crash. More specifically, DNS will crash when QR is set true in the DNS Query. This problem does not appear to be exploitable as anything other than a denial of service. Fix Information: 1. Service Pack 3 - due out this quarter will contain a fix. 2. Run your DNS service on a different platform Systems Affected: ~~~~~~~~~~~~~~~~ Microsoft Windows NT systems running the Microsoft DNS service. WinNT 4 - Server Vulnerable WinNT 4 - Workstation No DNS service ships with WinNT Workstation WinNT 3.51 - Server DNS does not ship with WinNT 3.51 WinNT 3.51 - Workstation DNS does not ship with WinNT 3.51 Attributions: ~~~~~~~~~~~~~ - Jim Kelly at Microsoft for his prompt attention to this matter. Additional Information: ~~~~~~~~~~~~~~~~~~~~~~ You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers You can find Secure Networks advisories at ftp://ftp.secnet.com/pub/advisories You can browse our web site at http://www.secnet.com/ and not have to remember long pathnames. You can contact the author of this advisory at jwilkins@secnet.com My PGP Key is : -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.5 mQCNAi4vYzUAAAEEAMyO8P55B4bpCEe1xjIOdTQWiW3CSEjzTcHDFnW4Yoz0/zAI d+3gNJVYxzhmvywNh6NQhxg1Agob8Xu7n5MnlUHt8TyK6qw0PJ539G3+kqaPrWmo C6utR1iXzPQdu1jJ8xAf/FC4WD1oEhifNf75UlQZHXHiPTbJAbTl3s+VYMi5AAUR tClKb25hdGhhbiBQLiBXaWxraW5zIDxqd2lsa2luc0BzZWNuZXQuY29tPg== =dXkL -----END PGP PUBLIC KEY BLOCK----- RFC's (Request for Comments) are available at http://ds.internic.net/rfc/ the DNS RFC is http://ds.internic.net/rfc/rfc1035.txt and was written by P. Mockapetris Copyright Notice: ~~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc. and may be distributed freely provided that no fee is charged for this distribution, and proper credit is given. Windows NT and WinNT are trademarks of Microsoft. -----BEGIN PGP SIGNATURE----- Version: 4.5 iQCVAgUBMuvaw7Tl3s+VYMi5AQFu6gP/bBjc9ZMy6JhlbeqvlrSmdrrMvmQ8txE8 rlD/lYQAw0FUtAwHfCiNBkwHkup9vzsCVgqg0c8OzzNrLevAIfc4ZdsYZlTCRJcB pcYSj819sRxdbBR4qZh1kov/IH6bvTGePjo6Efsh4zyP/KfnV1VB+vklb9Z4Z5Bz rOaT4fajfJc= =rwm2 -----END PGP SIGNATURE-----