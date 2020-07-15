Successfully reported this slideshow.
CVE-2020-1350 What You Need to Know About the Windows DNS Vulnerability @JorgeOrchilles | SCYTHE © 2020 Jorge Orchilles | ...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE C: whoami • Chief Technology Officer - SCYTHE • Author SEC564: Red Team Exercises...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Agenda • Domain Name System (DNS) • Windows DNS Server • About CVE-2020-1350 • At...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Domain Name System (DNS) DNS translates domain names into IP addresses 4 • Client...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Windows DNS Server • Organizations that leverage Active Directory require DNS • K...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE About CVE-2020-1350 • Reported by Check Point’s Sagi Tzadik and named “SIGRed” • ...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE AttackVectors • Issue in how Windows DNS Server (dns.exe) parses response of recu...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Exploit: DNS Query and Response Structure 8 DNS Payload Size (16 bits. Only used ...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Normal DNS Pointers in responses 9 Name Type Class TTL Length Data example.com A ...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Parsing of Response in dns.exe 10 1.Response is received 2.RR_DispatchFunctionFor...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Parsing of Response in dns.exe (2) 11 5. dns.exe allocates not enough memory (act...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE DecompiledVulnerable Code 12
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Diffed 13 Unpatched Patched
CVE-2020-1350 | @JorgeOrchilles | SCYTHE “Wormable” Malware (exploit) that can replicate without user interaction 14 • Exp...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Impact 15 DNS Server on the Internet Can be queries directly Access to internal n...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Impact - Internet 16 https://beta.shodan.io/search?query=Microsoft+DNS+port%3A53
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Patch Install the Patch and Reboot 17 • Monthly Rollup or Security Only – Look up...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Workaround Apply the workaround that limits maximum length: 18 • Edit Registry – ...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Proof of Concept • Nothing public yet but Check Point clearly has the code • Be c...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Detection Look for large responses > 64KB 20 • Great opportunity to look at DNS t...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Detection • Look for dns.exe spawning another process • DNS responses with a leng...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE Incident Handling • A compromised Domain Controller means your Active Directory i...
CVE-2020-1350 | @JorgeOrchilles | SCYTHE References • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/C...
CVE-2020-1350 Thank You Questions? © 2020 Jorge Orchilles | All Rights Reserved
SANS Webcast on Windows DNS Server Vulnerability CVE-2020-1350

Video: https://www.sans.org/webcasts/about-windows-dns-vulnerability-cve-2020-1350-116120

Microsoft just released a patch for a critical risk vulnerability in their server implementation of DNS, known as Windows DNS Server: CVE-2020-1350.The vulnerability, known as SIGRed, allows an unauthenticated user to execute code with SYSTEM level privileges on the vulnerable server. As many organizations run the Windows DNS Server on their Active Directory Domain Controllers, this vulnerability can have significant collateral impact on your internal systems. Microsoft Windows Server 2008 through 2019 are vulnerable.

DNS is a fundamental network protocol used on a daily basis by all internet users. It is often called the "phone book of the internet", translating domain names to IP addresses. There are many DNS server implementations available and the one one we will discuss today is the Microsoft Windows DNS server which has a critical vulnerability: CVE-2020-1350. Other DNS Server implementations are not vulnerable. There is a workaround that does not require a reboot to implement.

References:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

  1. 1. CVE-2020-1350 What You Need to Know About the Windows DNS Vulnerability @JorgeOrchilles | SCYTHE © 2020 Jorge Orchilles | All Rights Reserved
  2. 2. CVE-2020-1350 | @JorgeOrchilles | SCYTHE C: whoami • Chief Technology Officer - SCYTHE • Author SEC564: Red Team Exercises and Adversary Emulation • Certified SANS Instructor: SEC560, SEC504 • C2 Matrix Co-Creator • 10 years @ Citi leading offensive security team • CVSSv3.1 Working Group Voting Member • GFMA: Threat-Led Pen Test Framework • ISSA Fellow; NSI Technologist Fellow
  3. 3. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Agenda • Domain Name System (DNS) • Windows DNS Server • About CVE-2020-1350 • Attack Vectors • Impact • Patch & Workarounds • Proof of Concept? • Detection • Incident Response 3
  4. 4. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Domain Name System (DNS) DNS translates domain names into IP addresses 4 • Client-Server Architecture • Client requests the IP address of a domain (sans.org) • Asks DNS Server: – If DNS server knows, it replies – If it does not know, it forwards the “recursive” query to the next DNS Server • DNS uses UDP on port 53 if smaller than 512 or 4096 bytes if EDNS enabled • When larger, DNS uses TCP on port 53
  5. 5. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Windows DNS Server • Organizations that leverage Active Directory require DNS • Kerberos does not function without DNS • When setting up a Domain Controller, the option to enable the Windows DNS Server is highly encouraged (and trivial) • Windows DNS Service runs with SYSTEM privileges • Generally found running on: – Domain Controllers – Member Servers 5
  6. 6. CVE-2020-1350 | @JorgeOrchilles | SCYTHE About CVE-2020-1350 • Reported by Check Point’s Sagi Tzadik and named “SIGRed” • Integer Overflow leading to Heap-Based Buffer Overflow • CVSS 10.0 affecting Windows Server 2008 – 2019 (dns.exe) • 17-year-old bug • Vulnerable if you have the Windows DNS Server service enabled • Exploitation by receiving a malicious DNS response • Microsoft said no evidence of active exploitation • DNS client is not vulnerable 6 https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year- old-bug-in-windows-dns-servers/
  7. 7. CVE-2020-1350 | @JorgeOrchilles | SCYTHE AttackVectors • Issue in how Windows DNS Server (dns.exe) parses response of recursive queries – Endpoint requests lookup of record. Malicious authoritative DNS Server returns crafted payload • Responses that contain “SIG” resource records may trigger the vulnerability as they are parsed by QuerySigWireRead • Integer overflow flow in function that parses incoming responses if larger than 64KB: SIG resource record • Can be triggered through Internet Explorer due to “Connection Reuse” and “Pipelining” features: https://bad-dns:53/ 7
  8. 8. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Exploit: DNS Query and Response Structure 8 DNS Payload Size (16 bits. Only used for DNS over TCP) Query ID Flags Number of Queries Number of Answers Number of Authority Records Number of Additional Records Resource Records (length varies)
  9. 9. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Normal DNS Pointers in responses 9 Name Type Class TTL Length Data example.com A IN 3600 4 192.0.2.1 example.com AAAA IN 3600 16 2001:db8::1 DNS responses often repeat names. Pointer can be used to save space by “pointing” to a prior copy of that name. Name Type Class TTL Length Data example.com A IN 3600 4 192.0.2.1 0xc0?? AAAA IN 3600 16 2001:db8::1
  10. 10. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Parsing of Response in dns.exe 10 1.Response is received 2.RR_DispatchFunctionForType selects right handling function for each RR 3.SIG RR is passed to SigWireRead 4.Records size if passed as a 16 bit integer BUT…. If pointers are used, it is possible that the RR Size for the SIG RR exceeds 16 Bits (64kBytes) after the pointers are expanded.
  11. 11. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Parsing of Response in dns.exe (2) 11 5. dns.exe allocates not enough memory (actual size – 64kBytes due to integer overflow) 6. Complete SIG RR is ”memcpy”ed to the (too small) allocated heap memory buffer 7. Heap Buffer overflow!
  12. 12. CVE-2020-1350 | @JorgeOrchilles | SCYTHE DecompiledVulnerable Code 12
  13. 13. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Diffed 13 Unpatched Patched
  14. 14. CVE-2020-1350 | @JorgeOrchilles | SCYTHE “Wormable” Malware (exploit) that can replicate without user interaction 14 • Exploit does not require authentication • Allows Remote Code Execution • Execution is with SYSTEM level privilege • Most systems have a DNS server configured “While technically wormable, it seems unlikely. A more likely scenario would be ransomware actors using it to gain a access to the Domain Controller, then pushing ransomware to all network clients.” -Marcus Hutchins
  15. 15. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Impact 15 DNS Server on the Internet Can be queries directly Access to internal network SYSTEM privileges on Domain Controller Compromise of entire Active Directory SYSTEM privileges on non- Domain Controller Ability to respond to DNS queries with attacker responses resulting
  16. 16. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Impact - Internet 16 https://beta.shodan.io/search?query=Microsoft+DNS+port%3A53
  17. 17. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Patch Install the Patch and Reboot 17 • Monthly Rollup or Security Only – Look up your Windows Server version, multiple Microsoft articles (too many to list) • DNS Servers should have redundancy • Active Directory and Domain Controllers should have redundancy • What is the real impact of a reboot? https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
  18. 18. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Workaround Apply the workaround that limits maximum length: 18 • Edit Registry – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesD NSParameters – DWORD = TcpReceivePacketSize – Value = 0xFF00 • Restart the DNS Server Service • After the workaround is implemented, a Windows DNS server will be unable to resolve DNS names for its clients when the DNS response from the upstream server is larger than 65280 bytes.
  19. 19. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Proof of Concept • Nothing public yet but Check Point clearly has the code • Be careful with fake code: – https://github[.]com/ZephrFish/CVE-2020-1350 – https://github[.]com/tinkersec/cve-2020-1350 • dns.exe was compiled with Control Flow Guard (CFG) – makes exploitation harder • Proof of Concept and Weaponized Exploit Code expected any time – Microsoft rated Exploitability as “1 - Exploitation More Likely” 19
  20. 20. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Detection Look for large responses > 64KB 20 • Great opportunity to look at DNS traffic • Most queries are responses are small • Identify larger responses - could be exploitation, exfiltration, or command and control (C2) – C2 Matrix: www.thec2matrix.com
  21. 21. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Detection • Look for dns.exe spawning another process • DNS responses with a length of 0xff00 or larger • DNS responses that contain at least one SIG RR (0x0018) 21 https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_2020_1350.yml
  22. 22. CVE-2020-1350 | @JorgeOrchilles | SCYTHE Incident Handling • A compromised Domain Controller means your Active Directory is compromised • Rebuilding is not trivial • Much more difficult than Incident Handling of network device vulnerabilities we have seen in 2020 • Seek professional assistance 22
  23. 23. CVE-2020-1350 | @JorgeOrchilles | SCYTHE References • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 • https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code- execution-vulnerability • https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin- exploiting-a-17-year-old-bug-in-windows-dns-servers/ • https://tools.ietf.org/html/rfc2931 • https://www.wired.com/story/sigred-windows-dns-flas-wormable/ • https://thehackernews.com/2020/07/windows-dns-server-hacking.html • https://beta.shodan.io/search?query=Microsoft+DNS+port%3A53 • https://www.rapid7.com/research/project-sonar/ • https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_ exploit_cve_2020_1350.yml 23
  24. 24. CVE-2020-1350 Thank You Questions? © 2020 Jorge Orchilles | All Rights Reserved

