Microsoft Windows DNS RPC Buffer Overflow

Microsoft Windows DNS RPC Buffer Overflow

Original release date: April 13, 2007
Last revised: --
Source: US-CERT

Systems Affected

Microsoft Windows 2003 Server

Microsoft Windows 2000 Server

Overview

A buffer overflow in the the Remote Procedure Call (RPC) management interface used by the Microsoft Windows Domain Name Service (DNS) service is actively being exploited. This vulnerability may allow a remote attacker to execute arbitrary code with SYSTEM privileges.

I. Description

The Microsoft Windows DNS service RPC management interface contains a stack-based buffer overflow. This vulnerability can be triggered by sending a specially crafted RPC packet to the RPC management interface. The management interface typically operates on a dynamically-assigned port between 1024/tcp and 5000/tcp.

Note that this vulnerability cannot be exploited via the DNS name resolution service (53/udp).

More information on this vulnerability is available in Vulnerability Note VU#555920 and Microsoft Security Advisory (935964).

This vulnerability is actively being exploited.

II. Impact

A remote attacker may be able to execute arbitrary code with SYSTEM privileges or cause a denial-of-service condition.

III. Solution

We are unaware of a complete solution to this vulnerability. Until a fix is available, there are workarounds that may reduce the chances of exploitation. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. For instance, disabling the RPC interface of the DNS service may prevent administrators from being able to remotely manage a Microsoft Windows DNS server. Consider this when implementing the following workarounds:

Disable the RPC interface used by the Microsoft Windows DNS service

This workaround will configure the DNS management service to to function only via Local Procedure Call (LPC). This prevents exploitation of the vulnerability, however it also disables remote management via RPC, which is used by the Microsoft Management Console (MMC) DNS snap-in.

According to Microsoft Security Advisory (935964), the RPC remote management can be disabled by taking the following steps:

On the start menu click 'Run' and then type 'Regedit' and then press enter.

Navigate to the following registry location: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/DNS/Parameters.

On the 'Edit' menu select 'New' and then click 'DWORD Value'.

Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.

Double click on the newly created value and change the value's data to 4.

Alternatively, the following text can be saved as a .REG file and imported:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/DNS/Parameters]

"RpcProtocol"=dword:00000004
Restart the DNS service for the change to take effect.



More information on regedit.exe is available in Microsoft Knowledge Base Article 82821.

Block or Restrict access to RPC services

This workaround will restrict TCP/IP access to all RPC interfaces, including the vulnerable DNS management RPC interface. This workaround will not prevent exploitation of the vulnerability, but will limit the possible sources of attacks. This workaround will allow remote management using the RPC interface (MMC DNS Snap-in) from selected networks.

Block access to the RPC Endpoint Mapper service (135/tcp) at your network perimeters. Note that blocking RPC at the network perimeter would still allow attackers within the perimeter to exploit this vulnerability.

By default, the RPC Endpoint Mapper service assigns RPC ports between 1024/tcp and 5000/tcp. All unsolicited traffic on these ports should also be blocked.

IV. References

Vulnerability Note VU#555920 - <http://www.kb.cert.org/vuls/id/555920>

Microsoft Security Advisory (935964) - <http://www.microsoft.com/technet/security/advisory/935964.mspx>

Registration Info Editor (REGEDIT) Command-Line Switches - <http://support.microsoft.com/kb/82821>

受影响系统：
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 SP1
Microsoft Windows 2000SP4
描述：
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2007-1748

Microsoft Windows是微软发布的非常流行的操作系统。

Microsoft Windows DNS服务器的RPC接口在处理畸形请求时存在栈溢出漏洞，远程攻击者可能利用此漏洞获取服务器的管理权限。

如果远程攻击者能够向有漏洞的系统发送特制的RPC报文的话，就可以触发这个溢出，导致以DNS服务的安全环境执行任意指令（默认为Local SYSTEM）。

<*来源：Microsoft

链接：http://www.microsoft.com/technet/security/advisory/935964.mspx?pf=true
http://secunia.com/advisories/24871/
*>

建议：
--------------------------------------------------------------------------------
临时解决方法：

NSFOCUS建议采取如下措施以降低威胁：

* 通过设置注册表禁止通过RPC远程管理DNS服务器：

1. 在开始菜单中点击“运行”，键入Regedit然后点击回车
2. 找到以下注册表位置
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/DNS/Parameters
3. 在“编辑”菜单中选择“新建”，然后点击DWORD Value
4. 在高亮显示的New Value #1中键入RpcProtocol，然后点击回车
5. 双击新建的值并将该值的数据更改为4
6. 重启DNS服务，更改生效

* 将以下注册表脚本保存为.REG文件并使用regedit.exe以/s命令行开关部署：

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/DNS/Parameters]

"RpcProtocol"=dword:00000004

* 在防火墙上阻断1024到5000端口上所有未经认证的入站通讯
* 在系统上启用高级TCP/IP过滤
* 使用IPsec阻断1024到5000端口

厂商补丁：

Microsoft
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.microsoft.com/technet/security/
来源：绿盟科技