I'n Blog 之萬象真藏

http://www.us-cert.gov/cas/techalerts/TA07-103A.html
Technical Cyber Security Alert TA07-103A

Microsoft Windows DNS RPC Buffer Overflow

Original release date: April 13, 2007
Last revised: --
Source: US-CERT

Systems Affected
（發生平台都是出現在WIN2000 2003等伺服器架構上）

• Microsoft Windows 2003 Server
• Microsoft Windows 2000 Server

Overview
(都是屬於利用換衝區溢位造成的遠端可操控的RPC弱點)

A buffer overflow in the the Remote Procedure Call (RPC) management interface used by the Microsoft Windows Domain Name Service (DNS) service is actively being exploited. This vulnerability may allow a remote attacker to execute arbitrary code with SYSTEM privileges.

I. Description
（該把Port 1024-5000 全封了，不然就是管制吧）

The Microsoft Windows DNS service RPC management interface contains a stack-based buffer overflow. This vulnerability can be triggered by sending a specially crafted RPC packet to the RPC management interface. The management interface typically operates on a dynamically-assigned port between 1024/tcp and 5000/tcp.

Note that this vulnerability cannot be exploited via the DNS name resolution service (53/udp).

More information on this vulnerability is available in Vulnerability Note VU#555920 and Microsoft Security Advisory (935964).

This vulnerability is actively being exploited.

II. Impact

A remote attacker may be able to execute arbitrary code with SYSTEM privileges or cause a denial-of-service condition.

III. Solution

We are unaware of a complete solution to this vulnerability. Until a fix is available, there are workarounds that may reduce the chances of exploitation. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. For instance, disabling the RPC interface of the DNS service may prevent administrators from being able to remotely manage a Microsoft Windows DNS server. Consider this when implementing the following workarounds:

Disable the RPC interface used by the Microsoft Windows DNS service
（這暫時的管制措施雖然可能有效，但是會使DNS失去遠端操作能力
  也就是RPC能力，請評估後在施行吧）

This workaround will configure the DNS management service to to function only via Local Procedure Call (LPC). This prevents exploitation of the vulnerability, however it also disables remote management via RPC, which is used by the Microsoft Management Console (MMC) DNS snap-in.

According to Microsoft Security Advisory (935964), the RPC remote management can be disabled by taking the following steps:

1. On the start menu click 'Run' and then type 'Regedit' and then press enter.
2. Navigate to the following registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.
3. On the 'Edit' menu select 'New' and then click 'DWORD Value'.
4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.
5. Double click on the newly created value and change the value's data to 4.

Alternatively, the following text can be saved as a .REG file and imported:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters]

"RpcProtocol"=dword:00000004

Restart the DNS service for the change to take effect.

More information on regedit.exe is available in Microsoft Knowledge Base Article 82821.

Block or Restrict access to RPC services

This workaround will restrict TCP/IP access to all RPC interfaces, including the vulnerable DNS management RPC interface. This workaround will not prevent exploitation of the vulnerability, but will limit the possible sources of attacks. This workaround will allow remote management using the RPC interface (MMC DNS Snap-in) from selected networks.

Block access to the RPC Endpoint Mapper service (135/tcp) at your network perimeters. Note that blocking RPC at the network perimeter would still allow attackers within the perimeter to exploit this vulnerability.

By default, the RPC Endpoint Mapper service assigns RPC ports between 1024/tcp and 5000/tcp. All unsolicited traffic on these ports should also be blocked.

IV. References

• Vulnerability Note VU#555920 - <http://www.kb.cert.org/vuls/id/555920>
• Microsoft Security Advisory (935964) - <http://www.microsoft.com/technet/security/advisory/935964.mspx>
• Registration Info Editor (REGEDIT) Command-Line Switches - <http://support.microsoft.com/kb/82821>

其他報導如下：

http://feeds.ziffdavis.com/~r/ziffdavis/eweek/Security/~3/108846616/0,1759,2113872,00.asp

Microsoft Investigates DNS Attacks 

By Brian Prince

April 13, 2007 

 Be the first to comment on this article

Microsoft is investigating attacks exploiting a vulnerability in the Windows Server Domain Name System Service, as well as two types of hacks targeting Vista's OEM BIOS activation feature.

ADVERTISEMENT A company spokesperson said a very limited number of attacks exploiting the flaw in the Windows Server DNS Service have been seen in the wild.

"Our investigation reveals that this vulnerability could allow a criminal to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM," a Microsoft spokesperson said.

The problem stems from a stack-based buffer overrun in the Windows DNS Server's RPC (remote procedure call) interface implementation. RPC is a protocol a program can use to request a service from a program on another computer in a network. An attacker could try to exploit the vulnerability by sending a specially crafted RPC packet to an affected system.

The flaw affects Windows Server 2000 and Windows Server 2003 running the DNS Server Service, Microsoft officials stated in an advisory. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. The name resolution functionality of the DNS service exposed over port 53 is not vulnerable to this attack.

According to the advisory, Microsoft is in the process of developing a security update for Windows that addresses the vulnerability.

l   Company officials are advising users to disable remote management over RPC capability for DNS Servers through the registry key setting,

l   and to use a firewall to block all unsolicited inbound traffic on ports between 1024 and 5000.

"The RPC interface of Windows DNS is bound to a port in this range," the company explained in the advisory.

It has been a busy week for Microsoft on the security front. In addition to Patch Tuesday and subsequent reports of bugs affecting Microsoft Office, security officials at the Redmond, Wash.-based company are also looking into attacks aimed at Windows Vista's OEM BIOS activation feature. According to an April 10 blog post by Microsoft Senior Product Manager Alex Kochis, the OEM attacks have been launched in two ways. The first hack involves editing the BIOS on the motherboard, while the second uses a software-based approach to trick Windows Vista into functioning as if it's running on OA 2.0-enabled hardware, Kochis wrote.