[dns-operations] "Cybercrooks exploiting new Windows DNS flaw"

Florian Weimer fw at deneb.enyo.de
Fri Apr 13 20:02:08 UTC 2007

* Adam Stasiniewicz:

> This exploit looks a bit over hyped.  Relatively speaking, the exploit
> is no where near as bad as Code Red and equivalents.  Code Red for
> instance (which used an exploit in IIS) could infect a web server over
> TCP 80.  

As long as it's not Slammer. 8-/ This time, it would be close to
impossible to filter in the backbone.

> Since that port is needed to be open to allow visitors to the
> website, there would be no firewall filtering preventing exploitation.
> But to be able to exploit this new vulnerability an attacker would
> need to access the Windows RPC ports (1024-5000) which firewalls
> located at network perimeters should be blocking.

It's not that simple.  The resolver component opens a UDP port in this
range, so you can't simply block all of them.

And if your firewall is stateful, but too permissive, you might be
able to play games with SIP and things like that.

> Simply having access via the standard DNS ports (TCP/UDP 53) is not
> enough.  Because of this, the scope of the attack is limited to
> within LANs only.

I'm not sure if this is true.  DNS servers are often located in DMZs
with more permissive filtering.  Therefore, I hesitate to make any
claims about wormability or lack thereof.

More information about the dns-operations mailing list