SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#555920

Microsoft Windows DNS RPC buffer overflow

Overview

The Microsoft DNS service Remote Procedure Call (RPC) implementation contains a stack buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code with SYSTEM privileges.

I. Description

The Microsoft Windows DNS service uses RPC to facilitate remote management. The Microsoft Windows DNS service RPC management interface contains a stack-based buffer overflow. This vulnerability can be triggered by sending a specially crafted RPC packet to the RPC management interface. The management interface typically operates on a dynamically-assigned port between 1024/tcp and 5000/tcp.

This vulnerability can also be exploited via the ports used by SMB services (139/tcp, 139/udp, 445/tcp, and 445/udp). However, this attack vector requires valid authentication credentials.

More information on this vulnerability, including a list of affected products is available in Microsoft Security Bulletin MS07-029.

Exploit code for this vulnerability is publicly available, and it is being actively exploited.

II. Impact

A remote attacker may be able to execute arbitrary code with SYSTEM privileges.

III. Solution

Apply an update

This vulnerability is addressed by the updates included with Microsoft Security Bulletin MS07-029.

Until an update can be applied, the following workarounds may reduce the chances of exploitation. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. For instance, disabling the RPC interface of the DNS service may prevent administrators from being able to remotely manage a Microsoft Windows DNS server. Consider this when implementing the following workarounds:

Disable the RPC interface used by the Microsoft Windows DNS service

This workaround will configure the DNS management service to to function only via Local Procedure Call (LPC). This prevents exploitation of the vulnerability, however it also disables remote management via RPC, which is used by the Microsoft Management Console (MMC) DNS snap-in.

According to Microsoft SecurityBulletin MS07-029, the RPC remote management can be disabled by taking the following steps:

  1. On the start menu click 'Run' and then type 'Regedit' and then press enter.
  2. Navigate to the following registry location: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters”.
  3. On the 'Edit' menu select 'New' and then click 'DWORD Value'.
  4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.
  5. Double click on the newly created value and change the value's data to 4.
Alternatively, the following text can be saved as a .REG file and imported:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters]

    "RpcProtocol"=dword:00000004
This will restrict the DNS management interface to Local Procedure Call (LPC) only. Note that the DNS service needs to be restarted for the above changes to take effect. More information on regedit.exe is available in Microsoft Knowledge Base Article Q82821.

Additional information regarding how to disable remote administration of the DNS Server service in Windows Server 2003 and in Windows 2000 Server can be found in Microsoft Knowledge Base Article 936263.

Block or Restrict access to RPC at the network perimeter

This workaround will restrict TCP/IP access to all RPC interfaces, including the vulnerable DNS management RPC interface. This workaround will not prevent exploitation of the vulnerability, but will limit the possible sources of attacks. This workaround will allow remote management using the RPC interface (MMC DNS Snap-in) from selected networks.

Access to the RPC Endpoint Mapper service (135/tcp), the ports assigned by the RPC Endpoint Mapper (by default 1024/tcp to 5000/tcp), and SMB services (139/tcp, 139/udp, 445/tcp, and 445/udp) should be blocked at your network perimeter. This will limit your exposure to attacks. Note that blocking RPC and SMB at the network perimeter will still allow attackers within the perimeter of your network to exploit this vulnerability.

All unsolicited traffic on the ports listed above should be blocked.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable8-May-2007

References


http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
http://www.microsoft.com/technet/security/advisory/935964.mspx
http://support.microsoft.com/kb/936263
http://support.microsoft.com/kb/813963/
http://support.microsoft.com/kb/q82821
http://secunia.com/advisories/24871/
http://blogs.technet.com/msrc/archive/2007/04/12/microsoft-security-advisory-935964-posted.aspx

Credit

This vulnerability was reported in Microsoft Security Advisory (935964).

This document was written by Jeff Gennari.

Other Information

Date Public:2007-04-13
Date First Published:2007-04-13
Date Last Updated:2007-05-08
CERT Advisory: 
CVE-ID(s):CVE-2007-1748
NVD-ID(s):CVE-2007-1748
US-CERT Technical Alerts: 
Metric:49.14
Document Revision:141

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader