Two strokes to fill Windows 2003 DNS server vulnerabilities

DNS is the abbreviation for the domain Name System. Everyone in the Internet input URL, is through the domain name resolution system to find the corresponding IP address to access the site. But the recent Microsoft Windows 2000 and Windows 2003 DNS services have a very high security vulnerabilities, if hackers successfully exploited, then our internet operation will encounter great trouble.

Hacker Name: Zhang Junxing

Hacking expertise: Windows System Vulnerability Research

Using tools: DNS Server Vulnerability Utilization tool

Hacker confessions: There has been a 0day vulnerability in the recent DNS of Windows systems, and since the code for this vulnerability has been disclosed, various variants of the Nirbot worm attacking the vulnerability have emerged. If the vulnerability is exploited by hackers, the system will be fully controlled by the hacker.

DNS Vulnerabilities Open System defenses

If this vulnerability exists in Windows DNS, if it is working, the RPC interface will release administrator privileges if it is processed to an unconventional malformed connection request, allowing the hacker to take advantage of the vulnerability to fully control the system. By sending a specially designed RPC packet to a system with this vulnerability, the hacker can obtain administrator privileges on the system and remotely execute arbitrary instructions.

Little knowledge: What is RPC

Remote Procedure Call (RPC) is a protocol that a program can use to request services from a program on another computer in the network. Because a program that uses RPC does not have to understand the circumstances of the network protocol that supports communication, RPC enhances the interoperability of the program.

Earlier, there were several vulnerabilities in RPC, including the one that caused the Blaster worm to explode. This latest vulnerability is a stack overflow vulnerability that poses a lot of trouble to Microsoft and Windows users.

Windows XP and Windows Vista are not affected by this DNS vulnerability, according to Microsoft releases, Windows Server SP4, Windows Server 2003 SP1, Windows Server 2003 SP2 There is a loophole.

Easy access to DNS vulnerabilities

Open the system's command prompt, and then jump to the DNS server to exploit the command that is in the tool, and then execute the exploit tool (Figure 1).

　　

Execute the command in the exploit of the vulnerability: dns.exe-h 127.0.0.1-t 1-p 445, because I tested it on the local computer, so the IP address is 127.0 0.1, and I need to set the parameters according to the server version of the language. After successful use of the ToolTip overflow, you can use the Telnet command or program NC to connect to port 4444 in the vulnerable server, such as Telnet 127.0.0.1 4444 (Figure 2). It should be explained that the success rate of the tool is not particularly high, so it takes a few more times to test

　　

When we successfully exploited the vulnerability to overflow, we can enter: NET user PCW 1234/add at the command line, and if the display command succeeds after the carriage return is confirmed, a user named PCW password 1234 has been successfully added.

Then we enter: net localgroup Administrators pcw/add at the command line, and the successful execution means that the user has been added to the Administrators group (Figure 3).

　　

Now, just take advantage of the remote desktop features of the Windows system, then connect to the IP address of the DNS server, and then log in with the username we just created, and then we can do the proper remote management operation (Figure 4).

　　

If the remote server does not open Terminal Services function, you can also through the overflow Command Prompt window, through FTP or TFTP command upload our Trojan, this can also be effective remote management operations.

The loophole is very harmful, we should prevent

Because this security vulnerability affects Windows Server and Windows Server 2003 Server software, there is a patch for each language version of Windows servers. Microsoft provided the patch address: http://www.microsoft.com/china/technet/security/bulletin/ms07-029.mspx, please choose the corresponding patch according to their own situation.

At the same time, administrators are advised to take the following steps to reduce the threat. First Open Registry Editor, locate the following registry location Hkey_local_machinesystemcurrentcontrolsetservicesdnsparameters, and create a new name named "RpcProtocol" via the right-click menu DWORD project, and then double-click the new value and change the value's data to 4, and then restart the DNS service changes to take effect.