[dns-operations] Wormable RCE in MS Windows DNS Server CVE-2020-1350
Alexander Bochmann
ab at lists.gxis.de
Mon Jul 20 07:51:55 UTC 2020
...on Wed, Jul 15, 2020 at 10:55:27AM -0400, Phil Pennock wrote:
> For anyone whose organization has some MS Windows servers running a DNS
> server, you might care about a CVSS 10.0 wormable Remote Code Execution
> vulnerability:
> https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
I've been wondering if this is exploitable when a Windows DNS server
is not able to contact an authoritative server that sends the
malicious reply.
In the scenario described by Checkopoint in their writeup, it looks
as if Windows DNS servers will try to directly ask a cached authority
even if they're configured for forwarding:
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
Would other nameservers drop a reply where this scheme with pointer
compression resulting in a very large Signer's Name field is
being used? It doesn't look invalid as such.
Alex.
More information about the dns-operations
mailing list