[dns-operations] "Cybercrooks exploiting new Windows DNS flaw"

Florian Weimer fw at deneb.enyo.de
Fri Apr 13 20:53:37 UTC 2007

* Florian Weimer:

>> Since that port is needed to be open to allow visitors to the
>> website, there would be no firewall filtering preventing exploitation.
>> But to be able to exploit this new vulnerability an attacker would
>> need to access the Windows RPC ports (1024-5000) which firewalls
>> located at network perimeters should be blocking.
> It's not that simple.  The resolver component opens a UDP port in this
> range, so you can't simply block all of them.
> And if your firewall is stateful, but too permissive, you might be
> able to play games with SIP and things like that.

Just to clarify: I haven't got a shred of evidence that vector is
actually UDP-based.  Microsoft is silent on the issue, CMU CERT/CC
says it's TCP-based.  And in the past, the attack vector described
were often proved wrong. 8-(

Regarding mitigation: There's currently not enough public information
on what to do.  I'm not even sure how many publicly accessible Windows
resolvers are out there, but let's see if we can get some numbers.

More information about the dns-operations mailing list