[dns-operations] Wormable RCE in MS Windows DNS Server CVE-2020-1350

Alexander Bochmann ab at lists.gxis.de
Mon Jul 20 07:51:55 UTC 2020


...on Wed, Jul 15, 2020 at 10:55:27AM -0400, Phil Pennock wrote:

 > For anyone whose organization has some MS Windows servers running a DNS
 > server, you might care about a CVSS 10.0 wormable Remote Code Execution
 > vulnerability:
 >   https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/

I've been wondering if this is exploitable when a Windows DNS server 
is not able to contact an authoritative server that sends the 
malicious reply.

In the scenario described by Checkopoint in their writeup, it looks 
as if Windows DNS servers will try to directly ask a cached authority 
even if they're configured for forwarding:
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

Would other nameservers drop a reply where this scheme with pointer 
compression resulting in a very large Signer's Name field is 
being used? It doesn't look invalid as such.

Alex.




More information about the dns-operations mailing list