SecurityvulnsSECURITYVULNS:DOC:16701Microsoft Security Advisory (935964) Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
Published: April 12, 2007
Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.
Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.
Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
General Information
Overview
Purpose of Advisory: To provide customers with initial notification of limited attacks exploiting a vulnerability in the Domain Name System (DNS) Server Service. For more information see the “Suggested Actions” section of the security advisory.
Advisory Status: Issue Confirmed. Security Update Planned.
Recommendation: Review the suggested actions and configure as appropriate.
References Identification
CVE Reference
CVE-2007-1748
Microsoft Knowledge Base Article
935964
This advisory discusses the following software.
Related Software
Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2
Top of sectionTop of section
Frequently Asked Questions
What is the scope of the advisory?
Microsoft is aware of limited attacks that exploit a vulnerability affecting the RPC interface of the Microsoft DNS service.
Is this a security vulnerability that requires Microsoft to issue a security update?
Microsoft is completing development of a security update for Windows that addresses this vulnerability.
What causes the vulnerability?
A stack-based buffer overrun exists in the Windows DNS Server's RPC interface implementation.
How could an attacker exploit the vulnerability?
On Windows 2000 Server and Windows Server 2003 running the DNS Server Service an anonymous attacker could try to exploit the vulnerability by sending a specially crafted RPC packet to an affected system.
Is my DNS Server vulnerable to attack over port 53?
The name resolution functionality of the DNS service exposed over port 53 is not vulnerable to this attack.
What is Remote Procedure Call (RPC)?
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.
What versions of Microsoft Windows are associated with this advisory?
This advisory discusses Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.
Top of sectionTop of section
Suggested Actions
Microsoft has tested the following workarounds. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
•
Disable remote management over RPC capability for DNS Servers through the registry key setting.
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in regedit.exe.
Note We recommend backing up the registry before you edit it.
On the start menu click 'Run' and then type 'Regedit' and then press enter.
Navigate to the following registry location:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters”
On the 'Edit' menu select 'New' and then click 'DWORD Value'
Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.
Double click on the newly created value and change the value's data to '4' (without the quotes).
Restart the DNS service for the change to take effect.
•
Managed Deployment Script
The following sample registry script can be used to enable this registry setting:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters]
"RpcProtocol"=dword:00000004
The above registry script can be saved to a file with a .REG file extension and can be deployed silently as part of an automated deployment script using regedit.exe using the /s command line switch.
The DNS service needs to be restarted for this change to take effect.
For help using regedit.exe to deploy registry scripts please refer to Microsoft Knowledge Base Article Q82821: Registration Info Editor (REGEDIT) Command-Line Switches .
How to undo workaround: To undo the workaround perform the following steps:
On the start menu click 'Run' and then type 'Regedit' and then press enter.
Navigate to the following registry location:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters”
Select Registry Key RpcProtocol.
Right click on the RpcProtocol Key and select Delete.
Restart the DNS service for the change to take effect.
On the start menu click 'Run' and then type 'Regedit' and then press enter.
Navigate to the following registry location:
RpcProtocol registry key values
The value ‘4’ being used above restricts the DNS RPC interface to LPC-only. Combine values from the table below to change the transport mechanisms allowed set to the RpcProtocol key.
•
#define DNS_RPC_USE_TCPIP0x1
•
#define DNS_RPC_USE_NAMED_PIPE0x2
•
#define DNS_RPC_USE_LPC0x4
Setting the value to 0 will disable all DNS RPC.
You can re-configure the DNS server’s management interface to accept only LPC by setting a value in the registry.
Impact of Workaround: Remote management and configuration of DNS server functionality using RPC or WMI will be disabled. DNS management tools, will fail to work remotely. Local management and remote management through terminal services can be still used to manage your DNS Server configuration
You will still be able to use the DNS management MMC Snap-in, DNSCMD.exe, and the DNS WMI provider.
•
Block the following at the firewall:
All unsolicited inbound traffic on ports between 1024 to 5000
The RPC interface of Windows DNS is bound to a port in this range. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports that RPC uses, visit the following Web site.
Impact of Workaround: Remote management of DNS server functionality using RPC will be disabled. DNS management tools, will fail to work remotely. Local and remote management through terminal services can be still used to manage your DNS Server configuration
This includes the DNS management MMC Snap-in, DNSCMD.exe, DNS WMI provider. Additional management and control functionality may be lost for applications or components that use affected ports.
•
Enable advanced TCP/IP filtering on systems
You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.
•
Block the affected ports 1024 to 5000 by using IPsec on the affected systems
Use Internet Protocol security (IPsec) to help protect network communications. Detailed information about IPsec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.
Impact of Workaround: Remote management of DNS server functionality using RPC will be disabled. DNS management tools, will fail to work remotely. Local and remote management through terminal services can be still used to manage your DNS Server configuration
This includes the DNS management MMC Snap-in, DNSCMD.exe, DNS WMI provider. Additional management and control functionality may be lost for applications or components that use affected ports.
Top of sectionTop of section
Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.
For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Resources:
You can provide feedback by completing the form by visiting the following Web site.
Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
•
April 12, 2007: Advisory published.
Related
