Home

Awesome

CVE-2020-1350 (SIGRed) - Windows DNS DoS Exploit

Credits for the bug are entirely down to Check Point Research (@_cpresearch_) who did an incredible writeup of this bug (props to @sagitz_ for the post) Their writeup can be found here.

This exploit was written by @maxpl0it

Quick summary of how it works:

  1. On the LAN you trigger a DNS request (more specifically, a request for the SIG records) for an evil domain (for example 9.evil_domain.com)
  2. This gets sent to the vulnerable Windows server's DNS server
  3. The vulnerable server sends a request to whatever DNS it forwards requests to (usually the standard Google IPs)
  4. The Google DNS responds with the nameservers for the evil domain
  5. The vulnerable server then acts as a DNS client and sends a request to the evil DNS server
  6. The evil server responds with a payload that overflows a 2-byte number, causing a smaller allocation to take place than is required
  7. The signature is copied over and things break (of course), crashing the vulnerable server's DNS server

General Setup:

For example, I ran python sigred_dos.py ibrokethe.net to start the malicious DNS server

Testing Setup:

If you have access to the Windows server, you can configure a conditional forwarder to point ibrokethe.net to the IP address of the host running the script. This effectively skips steps 3 & 4 in the summary.

Execution:

In order to trigger the vulnerability on the Windows DNS server, run nslookup -type=sig 9.your_domain_name_here dns_server_to_target The subdomain '9' is indeed required here. You do not have to make any domain record changes for this since the script deals with it.

As an example: I ran nslookup -type=sig 9.ibrokethe.net 127.0.0.1 as I was running this on the server.