Vulnerability can be exploited in coffee-shop man-in-the-middle attacks
Vulnerability can be exploited in coffee-shop man-in-the-middle attacks

Security researchers have advised the patching of a critical vulnerability in the DNS client used in Windows. The flaw could allow hackers to gain access to a target system.

The flaw, identified as CVE-2017-11779, was discovered by Bishop Fox researcher Nick Freeman. It could enable an attacker to gain full control of the targeted Windows machine without the victim taking any action at all.

The bug was found in Microsoft's implementation of one of the data record features used in the secure Domain Name System protocol, DNSSEC. This protocol adds security for DNS by digitally signing and validating DNS so that it can't be faked.

“Windows added client functionality for DNSSEC in Windows 8 and Server 2012, with the introduction of several new DNS records. This functionality came along with a vulnerability in one of the records used for DNSSEC: NSEC3,” said Freeman in a blog post.

“The Windows DNS client doesn't do enough sanity checking when it processes a DNS response that contains an NSEC3 record. Malformed NSEC3 records can trigger this vulnerability and corrupt the memory of the DNS client. If this is done carefully, it can result in arbitrary code execution on the target system.”

As the record is malformed, it won't be able to pass through the normal DNS system. Servers along the way will drop it because it doesn't fit the standard for NSEC3 records. 

For an attacker to exploit this issue, they need to be between you and the DNS server you're using. For example, if you're using coffee shop Wi-Fi and someone is tampering with it, or if they've hacked your cable router – they can modify DNS responses that your computer receives, according to Freeman.

According to an FAW accompanying the blog post, the biggest concern for a user would be if a system is exposed to a malicious Wi-Fi network, or if an attacker has access to a wired network they are connected to.

“If an attacker has a foothold in your corporate network, they may exploit this issue to gain access to additional systems, possibly stealing sensitive information about customers or operations,” the FAQ stated.

Freeman said that if the DNS cache service crashes, the next DNS response will go directly to the application that made the request.

“This means that an attacker could crash the DNS caching service, and wait until a DNS query that is known to be related to a sensitive system task, like Windows Update. The attacker could potentially respond to this request with the malicious code execution payload and successfully gain complete control over the victim's system,” he said.

He added that an attacker has unlimited attempts to exploit it.

“The DNS caching service that handles the storage of DNS responses automatically restarts when it crashes, and it won't notify the user of the crash. So, an attacker can respond to requests coming directly from applications with innocuous responses, to ensure the caching service restarts, and then attack that service repeatedly. This can help an attacker bypass some of the protections Microsoft has built into Windows to protect against memory corruption vulnerabilities,” said Freeman.

Freeman added that the flaws have have several desirable attributes for exploitation: the vulnerability can be triggered without user interaction, it can affect processes running at different privilege levels (including SYSTEM) and the DnsCache service under svchost.exe restarts on failure.

“This means an attacker can first kill the DnsCache service to have a more deterministic starting state of the heap, exploit the issue multiple times to leak addresses for defeating ASLR, and then use the disclosed addresses when delivering the final exploit,” he warned.

Freeman added that the issue can be exploited on a local network without user interaction, and deserves attention and timely patching.

Luke Potter, head of Cyber-security practice at SureCloud, told SC Media UK that as an organisation, it is essential to ensure that DNS servers are hardened against compromise and that they regularly undergo a penetration test to highlight any risks.

“Protecting your DNS infrastructure is critical to any organisation's InfoSec programme, irrespective of this bug. Making sure the systems you own and control are robustly protected will help mitigate it being exploited by an attacker if the clients aren't yet patched,” he said.

“To exploit this vulnerability the attacker needs control of a DNS server that your clients are making requests to. As highlighted in the link, it's much easier to achieve this if the attacker is on the same local network as you, for example on an open wireless network.”

Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that users should consider applying the Microsoft security patches released in October 2017. “Considering that Windows 10 automatically downloads and installs security updates after reboots, it's only Windows 8 users that should consider manually updating their operating systems, if they haven't done so already,” he said.