Title: Microsoft Windows DNS Server Escaped Zone Name Parameter Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
Microsoft Windows Domain Name System (DNS) Server Service is an internet directory service that translates domain names into IP addresses.
Microsoft Windows DNS Server Service is prone to a stack-based buffer-overflow vulnerability in its Remote Procedure Call (RPC) Interface. The RPC Interface is typically bound to TCP ports between 1024 and 5000. This issue is not exploitable over default DNS ports TCP/UDP 53.
Specifically, the vulnerability occurs in the 'Name_ConvertFileNameToCountName' function when processing an escaped zone name 'pszone' parameter that exceeds 256 bytes. When the affected function encounters a '\' character, a call is made to the 'extractQuotedChar()' function to handle the escaped character. When returning from this call, the vulnerable function fails to perform any boundary checks before incrementing the associated stack buffer offset. An attacker may exploit this issue by submitting a repeated sequence of '\' characters and a malicious byte pattern.
Attacks against Windows 2003 SP2 are also possible via the '\PIPE\DNSSERVER' named pipe over TCP ports 139 and 445. To exploit this issue over TCP ports 139 and 445, attackers must first successfully authenticate.
A remote attacker may exploit this issue to cause arbitrary code to run in the context of the DNS Server Service. Since the context is 'SYSTEM', this vulnerability may facilitate the remote compromise of affected computers.
Details on this vulnerability are still emerging.
Windows Server 2000 Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2 are confirmed vulnerable to this issue.
Microsoft Windows 2000 Professional SP4, Windows XP SP2, and Windows Vista are not affected by this vulnerability.
Affected Products:
- Microsoft Small Business Server 2000 0.0.0
- Microsoft Small Business Server 2003 0.0.0
- Microsoft Small Business Server 2003 Premium Edition 0.0.0
- Microsoft Windows 2000 Server SP4
- Microsoft Windows Server 2003 Datacenter x64 Edition SP2
- Microsoft Windows Server 2003 Enterprise x64 Edition SP2
- Microsoft Windows Server 2003 Itanium SP1
- Microsoft Windows Server 2003 Itanium SP2
- Microsoft Windows Server 2003 SP1
- Microsoft Windows Server 2003 SP2
- Microsoft Windows Server 2003 x64 SP1
- Microsoft Windows Server 2003 x64 SP2
References:
- Michael Howard: Lessons Learned from MS07-029: The DNS RPC Interface Buffer Overrun
- Microsoft: Microsoft Knowledge Base Artcile 936263: New KB article to help deploy DNS remot
- Microsoft: Microsoft Security Advisory (935964)
- Microsoft: Microsoft Security Bulletin MS07-029
- Microsoft: Microsoft Windows Homepage
- Microsoft: Update on Microsoft Security Advisory 935964
- Microsoft Security Response Center: Microsoft Security Advisory 935964 Posted
- Nortel: Nortel Response to Microsoft Security Bulletin MS07-029 - BULLETIN ID: 200700797
- SANS: Handler's Diary: Microsoft Vulnerability in RPC on Windows DNS Server
- US-CERT: US-CERT Vulnerability Note VU#555920 - Microsoft Windows DNS RPC buffer overflow
- US-CERT: Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
- eEye Digital Security: EEYEZD-20070407 Microsoft DNS RPC
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
