Topic: Microsoft DNS RPC Management Vulnerability (935966)

[Amker]

Type Buffer Overflow
Impact of exploitation Remote Code Execution
User Interaction no user interaction is needed
Attack Vector Malicious remote network traffic
Rating Critical
CVE reference CVE-2007-1748,
Vendor Status Responded and patched
Vulnerable systems Windows 2000 Server  SP4,
Windows 2003  SP1 - SP2,
Summary
A vulnerability in the Microsoft Windows DNS Server Service may allow for remote code execution. An attacker does not need to be authenticated in order to exploit this vulnerability.

Timeline -
5/8/2007

Vendor has provided a patch.
4/18/2007

Exploit code has been released.
4/16/2007

An Internet Relay Chat Worm that exploits this vulnerability is found in the wild.
4/15/2007

Exploit code has been released.
4/15/2007

Exploit code has been released.
4/15/2007

Exploit code has been released.
4/14/2007

Exploit code has been released.
4/12/2007

Vendor has provided information on the vulnerability. A targeted attack has been reported.
Description -

Microsoft Windows DNS Server service is a domain name service daemon included with Windows 2000, XP, 2003, and Vista. A vulnerability in the Microsoft Windows DNS Server Service may allow for remote code execution. Specially crafted RPC traffic sent to this service would compromise the service and allow the attacker full control over a vulnerable machine. An attacker does not need to be authenticated in order to exploit this vulnerability. Windows 2000 and 2003 are affected by this vulnerability.
Recommendations -

Download and install the patch available from Microsoft (935966): http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
McAfee Product Mitigation
McAfee Foundstone

This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
Signature:
Windows DNS Server Service RPC Vulnerability (Intrusive)
Signature identifier:
5075
Release date:
4/13/2007
McAfee Foundstone

This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
Signature:
Windows DNS Server Service RPC Vulnerability (Credentialed)
Signature identifier:
5076
Release date:
4/13/2007
McAfee Intrushield

This signature provides coverage for this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
Signature:
DCERPC: Windows DNS Server Service RPC Vulnerability
Signature identifier:
0x47603300
Release date:
4/17/2007
First released in:
sigsets 2.1.64.1, 3.1.37.1
McAfee Host IPS

This signature provides coverage for this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
Signature:
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Signature identifier:
3840
Release date:
4/16/2007
First released in:
Security Content Update 1090
McAfee Host IPS

Out of the box, HIPS protects against many buffer overflow exploits. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
Signature:
Generic buffer overflow protection
Signature identifier:
428
Release date:
4/16/2007
First released in:
2.0
Additional Resources -
Microsoft Security Advisory: Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/935964.mspx
Microsoft Security Bulletin: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)

http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx