SIGRed: A 17 Year-Old Bug in Windows DNS Servers

It surprises me how basic this exploit is. You choose an important target(Windows domain controller), you select a slightly obscure corner (DNS on a DC), you find boundary conditions to violate(int16 overflow). You keep pushing until something gives.<p>What you need to fibd this is effort and solid engineering, not genius. Which means the bug itself is fairly trivial and hence avoidable low hanging fruit. A code review or security should find this<p>This is pretty damning for microsoft and the software industry in general.

<a href="https:&#x2F;&#x2F;msrc-blog.microsoft.com&#x2F;2020&#x2F;07&#x2F;14&#x2F;july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server&#x2F;" rel="nofollow">https:&#x2F;&#x2F;msrc-blog.microsoft.com&#x2F;2020&#x2F;07&#x2F;14&#x2F;july-2020-securit...</a><p>&gt; Today we released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected.

70% of bugs patched on Windows are memory bugs (buffer overflow, use after free, etc.), linked source below. If someone could make a fuzzer that actually finds these, the nature of our constant security update world would change. <a href="https:&#x2F;&#x2F;msrc-blog.microsoft.com&#x2F;2019&#x2F;07&#x2F;16&#x2F;a-proactive-approach-to-more-secure-code&#x2F;" rel="nofollow">https:&#x2F;&#x2F;msrc-blog.microsoft.com&#x2F;2019&#x2F;07&#x2F;16&#x2F;a-proactive-appro...</a>

Here is the registry work around for those that can not patch right now. [0]<p><i>To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that&#x27;s allowed:</i><p><pre><code> Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters Value: TcpReceivePacketSize Type: DWORD Value data: 0xFF00 </code></pre> <i>The default (also maximum) Value data = 0xFFFF.</i> <i>The recommended Value data = 0xFF00 (255 bytes less than the maximum).</i> <i>You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt:</i><p><pre><code> net stop dns &amp;&amp; net start dns </code></pre> [0] - <a href="https:&#x2F;&#x2F;support.microsoft.com&#x2F;en-us&#x2F;help&#x2F;4569509&#x2F;windows-dns-server-remote-code-execution-vulnerability" rel="nofollow">https:&#x2F;&#x2F;support.microsoft.com&#x2F;en-us&#x2F;help&#x2F;4569509&#x2F;windows-dns...</a>