Thursday, April 19, 2007

CERTStation Radio on Podcast Bunker

The guys over at Podcast Bunker have accepted our podcast onto their listings.

Wednesday, April 18, 2007

This week's Podcast - 16 Apr

This week's podcast covered:

Windows DNS Service zero day flaw exploited in targeted attacks while Microsoft hit by slew of new zero day flaws New Storm Worm outbreak hits the Internet and finally, Cisco fixes WiFi flaws.

Tuesday, April 17, 2007

Blackhat Wednesday

It looks like Blackhats are increasingly releasing vulnerabilities in the days immediately after Patch Tuesday in an effort to cause as much frustration as possible for Microsoft. We expect this trend to continue. So not only do enterprises have to contend with deploying Microsoft patches on one day but also they can expect a major vulnerability the day after.

Microsoft DNS Server Remote Code Advisory

Microsoft released their advisory on 12 Apr 07 and hackers reacted quickly with working exploits the very next day. By Apr 14th, working exploits were out in the wild for script kiddies and crackers to add to their Internet worms.

What you need to know

This exploit involves The Lookup_ZoneTreeNodeFromDottedName() which uses a vulnerable function Name_ConvertFileNameToCountName() to convert a string. This function allows back slashes despite some checking carried out during the process of writing to the buffer. This can be bypassed using multiple back slash characters, which results in a stack overflow.

Public Exploits

The publicly available exploits contain a port 4444 bind payload with intelligent dynamic RPC port detection, auto target search by using OS fingerprinting, /GS bypass technique with DEP Disabled and universal local/remote exploits.
Metasploit released its exploit code on 15 Apr 07, which targets Windows 2000 and 2003 Server. Attackers, or pen testers could use any of their favorite payloads with the exploit but the downside is that it does not have dynamic port detection and /GS bypass. Longhorn is also vulnerable to this exploit.

Hardware DEP

Initial analysis suggests that systems having Hardware DEP enabled are not vulnerable to this exploit because of the hardware-based protection against stack overflows.


The Metasploit exploit attacks Port 135 or 593 although a custom port can be chosen. There is no auto detection of the port on which the RPC service is running so this has to be tested for manually. Port 53 is not vulnerable so no attack vectors will be found there. 445 is one of the most common ports that will be attacked as the public exploit has this port assigned as a default but this will only work with users with valid authentication credentials. The RPC interface of Windows DNS is bound to a port in the range 1024-5000 so it is a good idea to filter these with a firewall. Rinbot scanning for port 1025 DNS/RPC has also been detected. Monitor attacked ports through the CERTStation Dashboard.