[dns-operations] "Cybercrooks exploiting new Windows DNS flaw"

Douglas Otis dotis at mail-abuse.org
Fri Apr 13 21:22:38 UTC 2007


On Apr 13, 2007, at 1:53 PM, Florian Weimer wrote:

> * Florian Weimer:
>
>>> Since that port is needed to be open to allow visitors to the
>>> website, there would be no firewall filtering preventing  
>>> exploitation.
>>> But to be able to exploit this new vulnerability an attacker would
>>> need to access the Windows RPC ports (1024-5000) which firewalls
>>> located at network perimeters should be blocking.
>>
>> It's not that simple.  The resolver component opens a UDP port in  
>> this
>> range, so you can't simply block all of them.
>>
>> And if your firewall is stateful, but too permissive, you might be
>> able to play games with SIP and things like that.
>
> Just to clarify: I haven't got a shred of evidence that vector is
> actually UDP-based.  Microsoft is silent on the issue, CMU CERT/CC
> says it's TCP-based.  And in the past, the attack vector described
> were often proved wrong. 8-(
>
> Regarding mitigation: There's currently not enough public information
> on what to do.  I'm not even sure how many publicly accessible Windows
> resolvers are out there, but let's see if we can get some numbers.

Unless Microsoft has changed their internal networks, DNS itself is  
not done using port 53.  DNS start as RPC calls translated at a  
border server into proper DNS.  This would tend to make disabling RPC  
(option II) somewhat problematic.  The threat is likely related to  
infected systems inside the firewall.  Assume there are always  
infected systems inside any firewall.  An infected system would then  
be able to poison the enterprise DNS where greater damage becomes  
possible.

-Doug



More information about the dns-operations mailing list