APRIL 2007 -- Spring has been a challenge for Microsoft. The software company released a patch to solve for server attacks that exploited a new vulnerability in its Domain Name Server Service. As predicted, on April 17, 2007, the Microsoft DNS server bug had already started to be exploited. Cyber attackers use this flaw to take control of your internal DNS server, a real and very serious danger. Critics now question why Microsoft did not release a patch earlier when it found out about the vulnerability. Believe it or not, Microsoft announced the bug after the first attacks.
According to security experts, an attacker can use the vulnerability in Microsoft's Domain Name Server (DNS) Service to take control of the server or modify DNS records. The attacker can then use the server as a way to launch other attacks or sabotage a whole company or organization. Reports say that Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Microsoft 2003 Service Pack 2 have high risks in case of an attack. It looks like the bug can also be found in Longhorn Server.
DNS is a great way to silently drive web traffic to a malicious site and this is exactly the scope of the attacks. But how does an attacker manage to get control of the DNS server? The bug itself isn't in the DNS protocol. The bug lies inside the server, and leverages the way the Microsoft server software handles the remote procedure calls (RPCs). Basically, this bug shows up when Windows Domain Name System Server's RPC processes malformed requests sent to a port between 1024 and 5000.
Enterprise customers with large internal networks need to act quickly in order to prevent attacks. The flaw also allows remote unauthenticated attackers to execute arbitrary code, having system privileges by sending some specially crafted requests to any vulnerable system. This means that the attacker has complete control over the server.
For worm propagation, this vulnerability is a very big target. How does it really work? If the attacker can penetrate the DNS server via the bugged RPC interface, he can then add a backdoor account. After adding the account, he restarts the server, and the server is now in the criminal's control. In order for the hacker to achieve his goal, the simplest scenario would be a denial-of-service (also known as DoS) attack on the target organization's DNS server.
Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected because these versions don't contain the vulnerable code. One estimate indicates there are thousands of organizations on the Internet that haven't configured their Microsoft DNS service properly.
And what does Microsoft have to say? Until you install the official patch, the software giant advices customers to disable the remote management over RPC capability for DNS Servers via a registry key setting, enable the advanced TCP/IP filtering on systems to block all unsolicited inbound traffic, and block the affected ports 1024 to 5000 by using IPsec.
Source: darkreading
About Secure64 Software Corporation
Secure64® is a software developer providing highly secure DNS and server applications with built-in denial-of-service protection features to help ensure your Internet-dependent business is always accessible. Based on the genuinely secure SourceT® microOS, Secure64 DNS remains highly available during network attacks and is immune to compromise from rootkits and malware.