#MS15127 — looking into MS15–127 DNS.exe patch

Patch MS15–127 fixes a problem with DNS. Microsoft provided very little information, including around who found the issue or exactly what the issue is. The key issue is they say it can be exploited for Remote Code Execution, so you probably want to install the patch on your AD domain controllers.

Let’s have a deep dive of what I can find out so far.

First off, the patch differentials:

So the function changes look like around recursive queries and database locking. Recursive resolution is available in Windows Server 2008 and 2012 DNS services, and the feature is enabled by default (woops..)

You can also see some changes around DNAME behaviour, where queries seem to be stripped. Microsoft have patched in this area previously for a denial of service issue. There have also been numerous RFCs in this area.

It is unclear if this issue impacts Microsoft Windows Server 2003, which is out of extended product support. Windows Server 2003 does not support DNAME entries.

If you are interesting in helping look into the scope of the issue, particularly to determine how exploitable the issue realistically is, please do get in touch — we have a working group chat of people looking into it, along with a test Windows Server 2012 R2 box with DNS installed and recursion enabled, with firewall off and debugging enabled.

Keep an eye on @networksecurity for more information as I get it.

Updates:

09/12/2015–12pm — here’s a reverse of the patched DNAME function.*

10/12/2015 - 12pm - the patch appears to rework how Resource Records are processed, particularly how RRs are cached (and freed from cache). I think it’s how DNAMEs are cached. It looks like dns.exe caches RR for recursive requests. I am looking into registering a domain and setting up a DNS server on it with ‘evil’ entries, for testing.

10/12/2015–8pm — *I’ve noticed the prior look at changed DNAME functions has been pulled from Pastebin. I do not know the reason.

10/12/2015–9pm — we have a crash:

Work is ongoing to reproduce. There’s a reasonable plan around triggering now. The next question is if Windows Server 2003 is impacted.

11/12/2015 - 4pm - I have published a new post with updates.