Bugs in Windows DNS client open millions of users to attack

In this month’s Patch Tuesday, Microsoft has included fixes for multiple critical memory corruption vulnerabilities in the Windows DNS client, which could be exploited by attackers to gain access to the target’s system.

Windows DNS client bugs

About the vulnerabilities

The vulnerabilities, collectively identified as CVE-2017-11779, were discovered by Bishop Fox researcher Nick Freeman, and there is no indication that they have been exploited in attacks in the wild.

They are present in Windows 8 through Windows 10, and Windows Server 2012 through 2016.

“Windows added client functionality for DNSSEC in Windows 8 and Server 2012, with the introduction of several new DNS records. This functionality came along with a vulnerability in one of the records used for DNSSEC: NSEC3,” Freeman explained.

“The Windows DNS client doesn’t do enough sanity checking when it processes a DNS response that contains an NSEC3 record. Malformed NSEC3 records can trigger this vulnerability and corrupt the memory of the DNS client. If this is done carefully, it can result in arbitrary code execution on the target system.”

Exploitation

But, because the record is malformed, it won’t be able to pass through the normal DNS system (the servers along the way will drop it). This limits the exploitation of the flaws, making it possible only if the attacker is between the user and the DNS server he or she is using, i.e. if the attacker is on the same network as the target.

For example: if the target is using free Wi-Fi at an airport, and the attacker has made it so that all network communications made by the target’s laptop are directed to the attacker’s computer (e.g. has created a rogue hotspot), the attacker can respond with malformed DNS responses to the target computer’s DNS requests and thus trigger the vulnerability. Another way to achieve the same power is through a man-in-the-middle attack.

“The average user’s biggest concern would be the scenario that their laptop (corporate or otherwise) is exposed to a malicious Wi-Fi network, or if an attacker has access to a wired network they are connected to. If an attacker has a foothold in your corporate network, they may exploit this issue to gain access to additional systems, possibly stealing sensitive information about customers or operations,” the company noted in a FAQ document accompanying the public revelations of the flaws.

No user action required

DNS requests are performed by computers all the time – not just when users browse the Internet. Most of the time the program that makes the request doesn’t see the response directly, as it goes through the DNS caching service. But, if the DNS cache service crashes, the next DNS response will go directly to the program that made the request.

“This means that an attacker could crash the DNS caching service, and wait until a DNS query that is known to be related to a sensitive system task, like Windows Update. The attacker could potentially respond to this request with the malicious code execution payload and successfully gain complete control over the victim’s system,” Freeman noted.

“These vulnerabilities have several desirable attributes for exploitation: the vulnerability can be triggered without user interaction, it can affect processes running at different privilege levels (including SYSTEM) and the DnsCache service under svchost.exe restarts on failure. This means an attacker can first kill the DnsCache service to have a more deterministic starting state of the heap, exploit the issue multiple times to leak addresses for defeating ASLR, and then use the disclosed addresses when delivering the final exploit.”

The company noted that there are mitigations that make this issue harder to exploit, but not prevent exploitation altogether, so enterprise admins and end users alike should implement the patches provided today by Microsoft.