Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
BID:23470
Info
Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
| Bugtraq ID: | 23470 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-1748 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 13 2007 12:00AM |
| Updated: | Jul 11 2008 04:49PM |
| Credit: | The vendor disclosed this issue. |
| Vulnerable: |
Microsoft Windows Server 2003 x64 SP2 Microsoft Windows Server 2003 x64 SP1 Microsoft Windows Server 2003 Itanium SP2 Microsoft Windows Server 2003 Itanium SP1 Microsoft Windows Server 2003 Enterprise x64 Edition SP2 Microsoft Windows Server 2003 Datacenter x64 Edition SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000 Server SP4 Microsoft Small Business Server 2003 Premium Edition Microsoft Small Business Server 2003 Microsoft Small Business Server 2000 0 |
| Not Vulnerable: |
Microsoft Windows XP 0 Microsoft Windows Vista 0 Microsoft Windows 2000 Professional SP4 |
Discussion
Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
Microsoft Windows Domain Name System (DNS) Server Service is prone to a stack-based buffer-overflow vulnerability in its Remote Procedure Call (RPC) interface.
A remote attacker may exploit this issue to run arbitrary code in the context of the DNS Server Service. The DNS service runs in the 'SYSTEM' context.
Successfully exploiting this issue allows attackers to execute arbitrary code, facilitating the remote compromise of affected computers.
Windows Server 2000 Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2 are confirmed vulnerable to this issue.
Microsoft Windows 2000 Professional SP4, Windows XP SP2, and Windows Vista are not affected by this vulnerability.
Microsoft Windows Domain Name System (DNS) Server Service is prone to a stack-based buffer-overflow vulnerability in its Remote Procedure Call (RPC) interface.
A remote attacker may exploit this issue to run arbitrary code in the context of the DNS Server Service. The DNS service runs in the 'SYSTEM' context.
Successfully exploiting this issue allows attackers to execute arbitrary code, facilitating the remote compromise of affected computers.
Windows Server 2000 Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2 are confirmed vulnerable to this issue.
Microsoft Windows 2000 Professional SP4, Windows XP SP2, and Windows Vista are not affected by this vulnerability.
Exploit / POC
Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
An exploit module for the Metasploit Framework is available. A reliable exploit for Windows 2000 and 2003 for members of the Immunity Partner's program is available at the following URI:
https://www.immunityinc.com/downloads/immpartners/msdnsrpc.tar
Additional exploits and proofs of concept are also available.
An exploit module for the Metasploit Framework is available. A reliable exploit for Windows 2000 and 2003 for members of the Immunity Partner's program is available at the following URI:
https://www.immunityinc.com/downloads/immpartners/msdnsrpc.tar
Additional exploits and proofs of concept are also available.
- /data/vulnerabilities/exploits/msdns_zonename.rb
- /data/vulnerabilities/exploits/23470-devcode.c
- /data/vulnerabilities/exploits/23470_dnsrpc.py
- /data/vulnerabilities/exploits/Microsoft_Dns_Server_Exploit.zip
- /data/vulnerabilities/exploits/Microsoft_Dns_Server_Exploit_v2.1.zip
- /data/vulnerabilities/exploits/dcerpc_msdns_zonename.rb
- /data/vulnerabilities/exploits/smb_msdns_zonename.rb
Solution / Fix
Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
Solution:
Microsoft released MS07-029 and fixes to address this issue. Please see the references for more information.
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows 2000 Server SP4
Microsoft Windows Server 2003 Datacenter x64 Edition SP2
Microsoft Windows Server 2003 Enterprise x64 Edition SP2
Microsoft Windows Server 2003 x64 SP1
Microsoft Windows Server 2003 SP1
Solution:
Microsoft released MS07-029 and fixes to address this issue. Please see the references for more information.
Microsoft Windows Server 2003 SP2
-
Microsoft WindowsServer2003-KB935966-x86-ENU.exe
http://www.microsoft.com/downloads/details.aspx?familyid=dfb5eaca-788b -475c-9817-491f0b7cf295&displaylang=en
Microsoft Windows Server 2003 x64 SP2
-
Microsoft WindowsServer2003.WindowsXP-KB935966-x64-ENU.exe
http://www.microsoft.com/downloads/details.aspx?familyid=e7a7b46b-775d -4912-8119-3ab9a95d775a&displaylang=en
Microsoft Windows 2000 Server SP4
-
Microsoft Windows2000-KB935966-x86-ENU.EXE
http://www.microsoft.com/downloads/details.aspx?familyid=d9de0480-5fa9 -4974-a82f-5d89056484c4&displaylang=en
Microsoft Windows Server 2003 Datacenter x64 Edition SP2
-
Microsoft WindowsServer2003.WindowsXP-KB935966-x64-ENU.exe
http://www.microsoft.com/downloads/details.aspx?familyid=e7a7b46b-775d -4912-8119-3ab9a95d775a&displaylang=en
Microsoft Windows Server 2003 Enterprise x64 Edition SP2
-
Microsoft WindowsServer2003.WindowsXP-KB935966-x64-ENU.exe
http://www.microsoft.com/downloads/details.aspx?familyid=e7a7b46b-775d -4912-8119-3ab9a95d775a&displaylang=en
Microsoft Windows Server 2003 x64 SP1
-
Microsoft WindowsServer2003.WindowsXP-KB935966-x64-ENU.exe
http://www.microsoft.com/downloads/details.aspx?familyid=e7a7b46b-775d -4912-8119-3ab9a95d775a&displaylang=en
Microsoft Windows Server 2003 SP1
-
Microsoft WindowsServer2003-KB935966-x86-ENU.exe
http://www.microsoft.com/downloads/details.aspx?familyid=dfb5eaca-788b -475c-9817-491f0b7cf295&displaylang=en
References
Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
References:
References:
- Handler's Diary: Microsoft Vulnerability in RPC on Windows DNS Server (SANS)
- Lessons Learned from MS07-029: The DNS RPC Interface Buffer Overrun (Michael Howard)
- Microsoft Knowledge Base Artcile 936263: New KB article to help deploy DNS remot (Microsoft)
- Microsoft Security Advisory (935964) (Microsoft)
- Microsoft Security Bulletin MS07-029 (Microsoft)
- Microsoft Windows Homepage (Microsoft)
- Nortel Response to Microsoft Security Bulletin MS07-029 - BULLETIN ID: 200700797 (Nortel)
- Update on Microsoft Security Advisory 935964 (Microsoft)
- Microsoft DNS Server Remote Code execution: Analysis and exploit ([email protected])
- EEYEZD-20070407 Microsoft DNS RPC (eEye Digital Security)
- Microsoft Security Advisory 935964 Posted (Microsoft Security Response Center)
- US-CERT Vulnerability Note VU#555920 - Microsoft Windows DNS RPC buffer overflow (US-CERT)
- Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution (US-CERT)