Top Categories

Spotlight

todayAugust 18, 2020

secure development + malware Jake

Network security concepts in school safety plans

As summer nears its end, there’s a lot of discussion about how and when to reopen schools and universities. As a security professional, I can’t help but see the parallels between protecting students and faculty from a pandemic and protecting networks from malware. This post will examine those similarities from [...]


SIGRed: A new critical vulnerability Explained

vulnerabilities Jake todayJuly 21, 2020 129 1

Background
share close

Last Tuesday, as they do every second Tuesday, Microsoft released its monthly patch updates. One in particular (CVE-2020-1350) has been drawing a lot of attention. The vulnerability is called “SIGRed”, like that lunch I may have left in the office, its old, its bad and ripe for worms. Lets dig in!

Whats the bug?

The bug, discovered by Check Point Research is found in the DNS server program on windows servers going all the way back to 2003. The DNS server (DNS.exe), is responsible for taking requests for domain names, and returning IP and other records. In an enterprise, the DNS server can be used by all the machines in a given network to find anything from websites to printers. The DNS server contains code for parsing all the different types of responses, this vulnerability happens when it attempts to parse a specific type of record called SIG (short for signature and ironically added to improve DNS security).

The vulnerability starts with a buffer overflow. When DNS.exe receives a SIG record, the program will attempt to store the length of the record into a register (a place where data is stored in the processor), the register is big enough to hold 16bits, this means that the largest integer it can store is 65,535. Due to the way processors work, if you try to add 1 to 65,535, the register will run out of room and reset to zero. This is whats known as an overflow. To better understand this, imagine you are writing numbers (in order) one on top of the other, at some point you get to 98,99,100,101. Now imagine someone comes along and rips your paper so that only the last 2 digits remain, now you see 98, 99, 00, 01. This is similar to what happens in a computer.

The fatal flaw here is that DNS.exe doesn’t verify that the length data is less than 64KB (65,535 bits). Normally this wouldn’t be a problem as the largest a response can be is 64Kb. In this case however, the researchers realized that some of the fields can be compressed. This means that a request, once decompressed may be larger than 64KB, allowing researchers to trigger an overflow in the length register. Then, DNS.exe attempts to use the length to allocate (reserve) some space in memory. While normally this would work fine (reserve 10KB of space for a 10KB message), in this scenario the overflow causes it to allocate a much smaller amount than it actually needs. When the researches sent those specially crafted SIG records, the server crashes!

Video demonstrating the vulnerability in action

As any security researcher will tell you, a crash is the first step in making a usable vulnerability. While the initial researchers didn’t get completely to the POC phase, they continued their research, figuring out ways to get their “payloads” where they wanted them and proving that the DNS server would actually execute their code and showing that these crashes could be triggered just from a user on the network clicking a malicious link (so far just in IE and Edge).

Whats the impact?

Well according to the National Institute of Standards and Technology (NIST), its a perfect 10/10. This means its critical and probably can’t be ranked higher. Microsoft has issued an advisory saying that its “wormable” meaning it can spread on its own without user interaction. Sysadmins around the world are scrambling to patch and there are a lot of servers that are susceptible. DNS typically runs as a privileged service and the server hosting it is usually pretty privileged as well. Having one get compromised could lead to an attacker getting the keys to the entire network. Its exploitable via browsers as well making it relatively easy to trigger a malicious request.

And its certainly not gonna get better. A proof of concept has already been released and supposedly attacks have already been found in the wild. We can expect to see this exploit leading to successful breaches, or wormlike infections creating botnets used for DDOS attacks. Moreso, we’ll likely see more researchers looking into DNS.exe or similar vectors potentially leading to similar vulnerabilities.

The good news, is that this just affects Windows Server, so your home network is probably safe (for now at least). If you have windows server, you should patch it or apply the workaround. If you use IE or Edge at work maybe be careful what you click for awhile.

Written by: Jake

Tagged as: .

Rate it

Previous post