Microsoft Windows DNS Server RPC Interface Buffer Overflow

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: April 13, 2007
Notification Version: 1.1
   
Name: Microsoft Windows DNS Server RPC Interface Buffer Overflow
Public disclosure/
In the wild date:		 April 10, 2007 (vuln disclosure), earliest attack reported April 4, 2007
Aliases: Microsoft Security Advisory (935964), MS07-029
CVE: CVE-2007-1748
Description: The Microsoft Windows Domain Name System (DNS) Server is vulnerable to a stack-based buffer overflow in the RPC interface.

 

ISS Coverage
Product Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX) prior to Firmware Version 1.2
Server Sensor 7.0		 24.59
Proventia IPS (G/GX) Firmware Version 1.2 or
later
Proventia Multifunction Appliance
Proventia Server (Linux)		 1.98
Proventia Server (Windows) 1.0.x.1990
Proventia Desktop x.x.x.1990
RealSecure Desktop 7.0 EQE
BlackICE PC Protection 3.6 CQE
Enterprise Scanner 1.21 
Internet Scanner 7.2.41
Propagation Techniques ISS Protection Available
remote exploit MSRPC_MSDNS_Request_Bo April 14, 2007
Detection Techniques ISS Detection Available
network assessment WinDnsRpcBo
WinMs07kb935966Update		  April 13, 2007
May 9, 2007

Detailed Description
Business Impact: The RPC interface of Microsoft Windows DNS Server is vulnerable to a stack-based buffer overflow. DNS is shipped by default on Windows 2003 Server and Windows 2000.  The problem occurs on a high port (above 1024), which is typically protected by external firewalls.
CVSS: Base Score: 10
  Access Vector: Remote
Access Complexity: Low 
Authentication: Not Required
Confidentiality Impact: Complete 
Integrity Impact: Complete 
Availability Impact: Complete 
Impact Bias: Normal 
Adjusted Temporal Score: 9.0
  Exploitability: Functional
Remediation Level: Workaround
Report Confidence: Confirmed 
Affected Products:

Windows 2000 Server SP4
Windows Server 2003 SP1
Windows Server 2003 SP2

Technical Description: The Microsoft Windows Domain Name System (DNS) Server is vulnerable to a stack-based buffer overflow in the RPC interface. By sending a specially-crafted Remote Procedure Call (RPC) packet to a vulnerable system, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges.
Remediation: Refer to Microsoft Security Advisory (935964) for suggested workaround information. See References.

References
XFDB http://xforce.iss.net/xforce/xfdb/33629
Microsoft http://www.microsoft.com/technet/security/advisory/935964.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx

Revision History
1.0 Initial publication.
1.1 Added new scanner check and corrected name of previous check.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.