'ADVISORY : Microsoft DNS Denial of Service'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ADVISORY : Microsoft DNS Denial of Service
From:       Jonathan Wilkins <jwilkins () SECNET ! COM>
Date:       1997-01-26 15:48:34
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----



                  ######    ##   ##    ######
                  ##        ###  ##      ##
                  ######    ## # ##      ##
                      ##    ##  ###      ##
                  ###### .  ##   ## .  ######.

                       Secure Networks Inc.

                        Security Advisory
                         January 26, 1997

                 Microsoft DNS Denial Of Service


While doing research and testing for our upcoming security auditing
package we became aware of a problem in the Microsoft DNS server
distributed with Windows NT version 4.0.

The Problem:
~~~~~~~~~~~~
  Microsoft DNS service terminates abnormally when it recieves a
response to a DNS query that was never made.

Impact:
~~~~~~~
  Remote users can cause a denial of DNS service.

Details:
~~~~~~~~
  When this unexpected response packet is recieved dns.exe exits
saying (on my machine) :

    'The instruction at "0x77f6748f" referenced memort at "0x0000000c"
     The memory could not be "written"'

  If I choose to debug at this point I get to discover that the command
it crashes on is :

          77f6748f   inc       dword ptr [edx+04]


The format of a DNS packet is as follows: (taken from rfc-1035)

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      ID                       |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    QDCOUNT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    ANCOUNT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    NSCOUNT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    ARCOUNT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

where applicable fields are:

ID              A 16 bit identifier assigned by the program that
                generates any kind of query.  This identifier is copied
                the corresponding reply and can be used by the requester
                to match up replies to outstanding queries.

QR              A one bit field that specifies whether this message is a
                query (0), or a response (1).

  While parsing the newly arrived packet, DNS.exe discovers that
instead of the expected bit that indicates that this is a query packet
this is in fact a response packet, one that it didn't ask for.
DNS will promptly crash.

  More specifically, DNS will crash when QR is set true in the DNS Query.

  This problem does not appear to be exploitable as anything other
than a denial of service.


Fix Information:
~~~~~~~~~~~~~~~~
  1. Service Pack 3 - due out this quarter will contain a fix.
  2. Run your DNS service on a different platform

Systems Affected:
~~~~~~~~~~~~~~~~~
  Microsoft Windows NT systems running the Microsoft DNS service.

    WinNT 4 - Server
        Vulnerable

    WinNT 4 - Workstation
        No DNS service ships with WinNT Workstation

    WinNT 3.51 - Server
        DNS does not ship with WinNT 3.51

    WinNT 3.51 - Workstation
        DNS does not ship with WinNT 3.51

Thanks go to:
~~~~~~~~~~~~~
  - Jim Kelly <jimk@microsoft.com> at Microsoft for his prompt
    attention to this matter.

Additional Information:
~~~~~~~~~~~~~~~~~~~~~~~
  You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
  You can find Secure Networks advisories at ftp://ftp.secnet.com/pub/advisories
  You can browse our web site at http://www.secnet.com/ and not have to remember long pathnames.

  You can contact the author of this advisory at jwilkins@secnet.com
  My PGP Key is :
   -----BEGIN PGP PUBLIC KEY BLOCK-----
   Version: 4.5

   mQCNAi4vYzUAAAEEAMyO8P55B4bpCEe1xjIOdTQWiW3CSEjzTcHDFnW4Yoz0/zAI
   d+3gNJVYxzhmvywNh6NQhxg1Agob8Xu7n5MnlUHt8TyK6qw0PJ539G3+kqaPrWmo
   C6utR1iXzPQdu1jJ8xAf/FC4WD1oEhifNf75UlQZHXHiPTbJAbTl3s+VYMi5AAUR
   tClKb25hdGhhbiBQLiBXaWxraW5zIDxqd2lsa2luc0BzZWNuZXQuY29tPg==
   =dXkL
   -----END PGP PUBLIC KEY BLOCK-----


  RFC's (Request for Comments) are available at
      http://ds.internic.net/rfc/
   the DNS RFC is
      http://ds.internic.net/rfc/rfc1035.txt
      and was written by P. Mockapetris


Copyright Notice:
~~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc.
and may be distributed freely provided that no fee is charged for this
distribution, and proper credit is given.

Windows NT and WinNT are trademarks of Microsoft.


-----BEGIN PGP SIGNATURE-----
Version: 4.5

iQCVAgUBMuvaw7Tl3s+VYMi5AQFu6gP/bBjc9ZMy6JhlbeqvlrSmdrrMvmQ8txE8
rlD/lYQAw0FUtAwHfCiNBkwHkup9vzsCVgqg0c8OzzNrLevAIfc4ZdsYZlTCRJcB
pcYSj819sRxdbBR4qZh1kov/IH6bvTGePjo6Efsh4zyP/KfnV1VB+vklb9Z4Z5Bz
rOaT4fajfJc=
=rwm2
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic