CERT-In Vulnerability Note CIVN-2006-76
Vulnerabilities in DNS Resolution Could Allow Remote Code Execution

Original Issue Date: August 09, 2006

Severity Rating: High

Systems Affected

• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1
• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition

Overview

Remote code execution vulnerabilities exist in DNS resolution that could allow an attacker to take complete control of the affected system.

Description

Two remote code execution vulnerabilities have been reported in DNS resolution process. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system.

Winsock Hostname Vulnerability (CVE-2006-3440)

Windows Sockets 2 (Winsock) enables programmers to create advanced Internet, intranet, and other network-capable applications to transmit application data across the wire, independent of the network protocol being used and provides access to advanced Microsoft Windows networking capabilities such as multicast and Quality of Service (QOS).

An unchecked buffer in the Winsock API causes this vulnerability. The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file while previewing an e-mail message or view a specially crafted website. Additionally, if an application uses the affected API it is possible that it could be exploited during regular usage scenarios that may not require user action.

DNS Client Buffer Overrun Vulnerability (CVE-2006-3441)

The Domain Name System (DNS) client service resolves and caches DNS names. The DNS client service must be running on every computer that will perform DNS name resolution. The ability to resolve DNS names is crucial for locating domain controllers in Active Directory domains. The DNS client service is also critical for locating devices identified using DNS name resolution.

An unchecked buffer in the DNS client layer causes this vulnerability. An anonymous user could exploit the vulnerability by sending a specially crafted DNS communication to an affected client. For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.

Workarounds

Winsock Hostname Vulnerability

•  Modify the Autodial DLL within the Windows registry.

DNS Client Buffer Overrun Vulnerability

•  Block the following DNS related records at network gateways:

• ATMA
• TXT
• X25
• HINFO
• ISDN DNS

Solution

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx

Refrences

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx

Security Focus
http://www.securityfocus.com/bid/19319/info
http://www.securityfocus.com/bid/19404/info

US-CERT
http://www.kb.cert.org/vuls/id/908276
http://www.kb.cert.org/vuls/id/794580

FrSIRT
http://www.frsirt.com/english/advisories/2006/3211

Secunia
http://secunia.com/advisories/21394/

Securitytracker
http://securitytracker.com/alerts/2006/Aug/1016653.html

CVE Name
CVE-2006-3440
CVE-2006-3441

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003