Date: 09 May 2007
References: AU-2007.0013 AU-2007.0015
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2007.0047 -- AUSCERT ALERT
[Win]
Windows DNS Server vulnerability may allow remote compromise
of Server 2003 and 2000 systems
9 May 2007
===========================================================================
AusCERT Alert Summary
---------------------
Product: Windows Server 2003 SP2 and prior
Windows 2000 Server SP4 and prior
Microsoft Small Business Server 2003
Microsoft Small Business Server 2000
Operating System: Windows
Impact: Administrator Compromise
Access: Remote/Unauthenticated
CVE Names: CVE-2007-1748
Original Bulletin:
http://www.microsoft.com/technet/security/advisory/935964.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
Revision History: May 9 2007: Microsoft release patches correcting
this vulnerability
April 20 2007: Information added on ports 139 and 445,
Small Business Server and current
activity
April 13 2007: Initial Release
OVERVIEW:
A vulnerability in the DNS Server component of Windows Server 2003
and Windows 2000 Server potentially allows remote compromise of
Windows DNS Servers. Small Business Server 2003 and 2000 products
are also affected.
Attacks and malicious software targeting this vulnerability have
been publicly reported.
System administrators should consider applying the patch listed
below as a matter of urgency.
IMPACT:
A remote attacker who can send RPC packets to the a server running the
DNS service may potentially execute arbitrary code as local SYSTEM,
taking full control of the server.
MITIGATION:
An update fixing this vulnerability is now available [1].
Microsoft advisory [2] previously listed the following the
mitigation strategies:
o Disable RPC management of the DNS server by setting the relevant
registry key. This can be done using Regedit, or alternatively
Microsoft provides a registry script to deploy this change in an
automated fashion.
o Block unsolicited inbound traffic to port 139, 445 and 1024-5000
using the border firewall, IPsec policy on the server itself and/or
by using Windows advanced TCP/IP filtering.
DETAILS:
A stack-based buffer overrun exists in the RPC interface implementation
of the Windows DNS service.
Domain Controllers and Small Business Servers run the DNS service by
default, in addition to servers explicitly configured for the DNS server
role.
On servers running the DNS Server service an unauthenticated attacker
may exploit the vulnerability by sending a specially crafted RPC packet
to an affected system.
Only the listening RPC interfaces on the DNS server are vulnerable.
Traffic to port 53 will not trigger this vulnerability. The RPC
service listens on a dynamically assigned port in the range 1024 and
above.
Attackers may also connect to the DNS service's named pipe via SMB
connection on TCP ports 445 or 139. In a default configuration, access
via these ports requires an attacker to have or be able to guess valid
logon credentials, for example using an existing user account to
attack the server. If the Guest account has been enabled on the
server, this potentially allows exploitation via ports 445 or 139
without authentication.
Exploit code targeting both vectors is actively being used.
REFERENCES:
[1] Microsoft Security Bulletin MS07-029
http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
[2] Microsoft Security Advisory (935964)
http://www.microsoft.com/technet/security/advisory/935964.mspx
[3] SANS ISC report of possible exploit activity
http://isc.sans.org/diary.html?storyid=2584
[4] Microsoft Security Response Center weblog
http://blogs.technet.com/msrc/archive/2007/04/15/situation-update-on-microsoft-security-advisory.aspx
[5] Microsoft Security Response Center weblog
http://blogs.technet.com/msrc/archive/2007/04/19/update-and-clarifications-in-microsoft-security-advisory-935964.aspx
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRkEnBih9+71yA2DNAQI4TwP/aXZY9rEAtNvVAkaBjivLVvbB4eoys/m5
CjdIDZizNzcOqs8kn0JybR1LZuYybWRjVPGa7vupeDg99MyR5mwneKTbprkMKNoj
gnlWts7sF4rylq4dvkBBkGbDF/H3mowvXBAxf14TNMIilsBCqjm1Ra1Toq2IEV0j
4bMa6o+GaXA=
=dMqv
-----END PGP SIGNATURE-----
|