Exploit goes public for Windows DNS Server bug

Computerworld - A public exploit appeared just two days after Microsoft Corp. acknowledged a critical vulnerability in its server software, a change one security company said "greatly increases" the chances of a broad attack.

The zero-day bug in the Domain Name System (DNS) Server Service in Windows 2000 Server (SP4) and Windows Server 2003 (SP1 and SP2) was confirmed by Microsoft late on Thursday. On Friday, the company said the current beta of Longhorn Server, the next-generation server software expected to ship later this year, was also affected.

Symantec Corp. warned Saturday that the Metasploit Project had released a public exploit for the vulnerability. "The release of this exploit greatly increases the chance of widespread exploitation of this issue before a patch is made available," warned Symantec. Metasploit is a security testing tool largely guided by developer and researcher HD Moore and is frequently first out the gate with exploits of Windows vulnerabilities.

Ken Dunham, director of VeriSign Inc.'s iDefense rapid response team, also noted the importance of the Metasploit release. "[This changes] the threat landscape for this issue," he said in an e-mail.

Microsoft modified its advisory late Friday and again Sunday to offer more detailed defensive recommendations and note that Microsoft Windows Small Business Server 2000 and Small Business Server 2003 are also at risk.

"We especially want to encourage people to evaluate the work-around to 'Disable remote management over RPC capability for DNS servers through the registry key setting,'" said Christopher Budd, Microsoft Security Response Center (MSRC) program manager, on MSRC blog late Friday. "Based on our testing, that's the best workaround we can recommend at this point."

Following Microsoft's advice means that businesses won't be able to manage Windows DNS servers remotely with the usual tools. Microsoft noted, however, that Terminal Services can still be used to remote manage servers.

On Sunday, Budd added that the MSRC is aware of the Metasploit proof-of-concept code. He also said that the team had updated the security advisory once again, this time to add TCP and UDP Port 445 to the list that administrators should block at the firewall.

Although Microsoft seems to be all over this vulnerability -- a patch is in the works, the MSRC has blogged about the flaw four times in four days, and the advisory has been updated three times since Thursday -- it's still unclear what threat the bug poses and to whom. For instance, Dunham said that the bug affects intranets most, not enterprises' more accessible outward-facing servers. "The area of greatest risk potentially resides within intranets, where domain controllers are running DNS and may become compromised," he said.

But if a bot Trojan horse managed to get onto a client -- via the patched but still attacked animated cursor bug, for example -- the botnet controller could use that compromised PC to hijack the local domain controller. "[That would] gain complete control over the entire network," said Dunham.

On Sunday, Microsoft again said that attacks were "limited," which Symantec alluded to in its warning. "The DeepSight Threat Analyst Team has deployed honeypot systems; the honeypots are specifically designed to be targeted by this issue. No exploitation has yet been observed," the company said.

Windows clients running Windows 2000, Windows XP or Windows Vista are not at risk.