Shulou(Shulou.com)05/31 Report--

This article is to share with you about the principle analysis of Windows DNS Server remote code execution vulnerability CVE-2021-24078. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Brief introduction of vulnerabilities

Windows DNS Server is an important functional component on the Windows Server server, which is responsible for scheduling and processing all DNS-related services of hosts in the domain.

Researchers at Qianxin Code Security Lab found a serious remote code execution vulnerability in Windows DNS Server (CVE-2021-24078). It is the first worm-level vulnerability discovered and submitted by domestic security researchers, with a CVSS score of 9.8, comparable to another Windows DNS Server RCE vulnerability fixed by Microsoft last year (CVE-2020-1350). The tester can use this vulnerability to execute arbitrary code on the target system with local system account privileges simply by sending a special packet to the target DNS server, and the trigger can be executed without interaction, authentication, and in the default configuration of Windows DNS.

Test scenario

The test scenario is as follows:

(1) the tester issues a special query "XXXXXXXXXXXX.com" to the target DNS server.

(2) the target DNS server cannot parse "XXXXXXXXXXXX.com" and initiates a recursive query to a higher-level DNS server (such as 8.8.8.8).

(3) the record obtained is a ns record requested by the tester in advance. The address of this record points to the test machine, which means that the target DNS server must go to this ip address to query the relevant domain name information.

(4) the target DNS server initiates the second query to the test machine and directly initiates the query to the ip address of the test machine.

(5) at this time, the tester sends a malformed response message to the target DNS server, triggering a type confusion vulnerability.

Loophole analysis and utilization

The hole lies in the request function of rr record generation for processing messages, dns.exeroomWireframes CreateRecordFromWire. An error occurred in the parsing of the type resolution function dns.exeencoded rr DispatchFunctionForType: an error occurred while judging whether the rr type was legal or not, and the comparison that should have been signed was mistakenly compared as unsigned, resulting in the resulting rr record being marked as an arbitrary type value. In other words, the type value of rrcord generated in this function can be marked as almost any value (most of the values in the 0-0xffff range), triggering a type obfuscation vulnerability that could eventually lead to RCE. The vulnerability analysis process is shown in figure 1.

Fig. 1 flow chart of vulnerability analysis

The pseudo code is as follows:

_ int64 _ _ fastcall RR_DispatchFunctionForType (_ _ int64 * A1, unsigned _ int16 a2) {unsigned _ int16 v2; / / r8__int64 result; / / raxv2 = a2if if (a2) {if (a2 > 52u) {if ((unsigned _ int16) (a2 + 0xFF) = 4U) {WPP_SF_ (* ((_ QWORD *) WPP_GLOBAL_Control + 2), 10i64, & WPP_78f9f773bfac3ce873e2989308e70330_Traceguids);} result = 0i64;} return result;}

The parsing function enables any non-zero rr type value to find the CopyWireRead address of the constructor of the relevant rr, resulting in type confusion. Further conversion type confusion will lead to arbitrary address reading or arbitrary address writing, and may eventually lead to arbitrary code execution. Moreover, some non-default DNS server even support version queries, making the vulnerability more valuable to exploit.

Usually, in the process of caching domain name information in Windows DNS, the information will be written to each rrecord. There are generally more than 20 types of rrcord, including:

A: host address information

AAAA: ipv6 host addr

SOA: Mark the authoritative area address

……

The structure of each rrecord is different. In the test package, the author confuses Copyrrcord as a special rrcord type with a type value of 0xf0f0 and a custom Windows. In this type, the 0x20, 0x28, 0x30, and 0x38 of the rrcord offset are all pointers to another record, while in the Copyrrcord type, the value at the offset 0x20, 0x28, and 0x30 is 0, and the offset 0x38 is the starting position of a buf of controllable length. The rrecord structure of the 0xf0f0 type and copyrrecord type is shown in figures 2 and 3.

Figure 2 rrecord structure of 0xf0f0 type

Fig. 3 rrecord structure of Copyrrecord type (type value 0 or otherwise)

What is implemented in the test package is that the writable part is used to trigger the crash and clean up the scene by calling the RR_Free function (when the message processing function finds a malformed message, it will refuse to continue to process the message and clean up the scene). In this way, you can control the free function, free any address.

In fact, at this point, you can start trying to exploit the vulnerability. When caching a large number of rrecord records to DNS server, it can be equated with the heap spray effect. An attempt is made to free 0x0c0c0c0c0c0c0c0c or another address, causing it to be used after release (UAF), then become readable or writable, resulting in arbitrary code execution. The related code is as follows:

Void _ _ fastcall RR_Free (_ _ int64 A1) {. If (* (_ WORD *) (v1 + 12) = = 0xF0F0u | | * (_ BYTE *) (v1 + 10)

= 5U) {v9 = * (unsigned _ int16 *) (v1 + 12); WPP_SF_qd (* ((_ QWORD *) WPP_GLOBAL_Control + 7), 10i64, & WPP_103a918d359034d16f977c36c11204c8_Traceguids, v1);} RR_ListFree (* (_ QWORD * *) (v1 + 56));

In the subsequent function Wire_AddResourceRecordToMessage (in response to the information recorded in the rrcord in the message), we can also try to perform reverse obfuscation operations, such as confusing other types of rrcord with Copyrrcord, resulting in information leakage.

The above is the principle analysis of Windows DNS Server remote code execution vulnerability CVE-2021-24078. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.