|
|
|
Credit:
The information has been provided by Nicol s Economou.
The original article can be found at: http://www.coresecurity.com/content/CORE-2010-0424-windows-smtp-dns-query-id-bugs
|
|
Vulnerable Systems:
* Microsoft Windows 2000 (SP4 and previous)
* Microsoft Windows XP (SP3, SP2 and previous)
* Microsoft Windows 2003 (SP2 and previous)
* Microsoft Windows 2008 (SP2 and previous)
* Microsoft Windows 2008 R2
* Microsoft Exchange Server 2003 (SP3, SP2 and previous)
* Microsoft Exchange Server 2007 (SP2, SP1 and previous)
* Microsoft Exchange Server 2010
Immune Systems:
* Microsoft Windows 2000 (SP4 and previous) with MS10-024
* Microsoft Windows XP (SP3, SP2 and previous) with MS10-024
* Microsoft Windows 2003 (SP2 and previous) with MS10-024
* Microsoft Windows 2008 (SP2 and previous) with MS10-024
* Microsoft Windows 2008 R2 with MS10-024
* Microsoft Exchange Server 2003 (SP3, SP2 and previous) with MS10-024
* Microsoft Exchange Server 2007 (SP2, SP1 and previous) with MS10-024
* Microsoft Exchange Server 2010 with MS10-024
While researching the fixes issued by Microsoft in Microsoft's Security Bulletin MS10-024 published April 13, 2010 Nicol s Economou discovered two vulnerabilities in Windows SMTP Service and Microsoft Exchange . These vulnerabilities were fixed by the patches referenced in MS10-024 but were not disclosed in the vendor's security bulletin and did not have an unique vulnerability identifier assigned to them. As a result, the guidance and the assessment of risk derived from reading the vendor's security bulletin may overlook or missrepresent actual threat scenarios.
An attacker may leverage the two previouly undisclosed vulnerabilities fixed by MS10-014 to spoof responses to any DNS query sent by the Windows SMTP service trivially. DNS response spoofing and cache poisoning attacks are well known to have a variety of security implications with impact beyond just Denial of Service and Information Disclosure as originally stated in MS10-024.
As a result the importance of deploying MS10-024 patches may be miss-represented in the vendor's security bulletin. Organizations using vulnerable packages should consider re-assessing patch deployment priorities in view of the additional information provided in this advisory.
The vulnerabilities were found and researched on a Windows XP SP3 system by identifying binary differences in smtpsvc.dll after applying the corresponding patch from MS10-024. The dll versions 6.0.2600.5512 and 6.0.2600.5949 were compared. The patch adds a call to method CAsyncDns::GenerateRandWord at address 4FB55654. The quality of the pseudo-random number generator used by CAsyncDns::GenerateRandWord was not investigated but simple observation of packets on the wire confirms that DNS query IDs are no longer generated using increments of one decimal unit.
Since CAsyncDns::ProcessReadIO is called prior to CAsyncDns::DnsParseMessage the patch effectively added a verification to the ID value in a DNS responses that was missing before. This implies that even if it was trivial to blindly guess the query IDs generated by the Windows SMTP service with no or just a few captured DNS queries an attacker did not even need to guess valid query ids to be able to spoof legitimate replies sucessfully. Prior to MS10-024 the complexity of spoofing responses to Windows SMTP Service or Microsoft Exchange Server was reduced to just guessing the source port that originated the query. This lack of validation of inbound responses was confirmed in practice with a proof of concept exploit for the SMTP Server MX Record vulnerability disclosed in MS10-024.
MS10-024 also included "defense-in-depth changes" to Microsoft Exchange 2007 and Microsoft Exchange 2010 that added source portentropy to DNS transactions initiated by the SMTP service as stated in the FAQ in the general information section of the security bulletin. However, those "defense-in-depth changes" refer to randomization of the source port for outbound DNS queries and not to the value of the query ID used in DNS packets.
Basic analysis of the vulnerabilities disclosed in this advisory that were fixed but not disclosed in MS10-024 indicates that the threat of DNS spoofing attacks against Windows SMTP service and Microsoft Exchange or scenario for exploitation of CVE-2010-0024 was underestimated. As a result the importance of deploying the MS10-024 patches may be miss-represented in the vendor's security bulletin. Organizations using vulnerable packages should consider re-assessing patch deployment priorities in view of the additional information provided in this advisory.
Patch Availability:
These vulnerabilities are fixed with the security updates included in Microsoft Security Bulletin MS10-024.
CVE Information:
CVE-2010-1689
CVE Information:
CVE-2010-1690
Disclosure Timeline:
2010-04-28: Initial notification to the vendor.
2010-04-29: Vendor confirms
2010-05-04: published.
|
|
|
|