Update on MS15–127 dns.exe exploit trigger
1 min readDec 11, 2015
Here’s an update to my prior entry around where we are at.
- The problem does not appear to impact Windows Server 2003.
- The problem appears to be with DNAME lookups.
- It looks like the issue maybe a race condition.
- If you disable recursive lookups, it should offer you some protection, although I cannot fully confirm this yet.
- * Please note it is possible to cause AD DNS servers deep inside corporations to run DNS lookups - for example, send an email to a duff address at a company, from an evil domain name. The Exchange server will return a non-delivery email - which usually uses Active Directory DNS servers to lookup the MX record. At this stage, you would be looking up behind the firewalls.
- It looks like to exploit this condition you would need to be running an Evil DNS Server.
- You can attempt to PoC this by battering an unpatched Microsoft DNS server with invalid DWORD queries, which have a low TTL and are cached. You may be able to crash dns.exe.
- It looks difficult to exploit.
- Microsoft discovered the issue back in August.
We have #ms15127 on irc.freenode.net, if you want to join the exploration of the issue. I have provided multiple dedicated servers to various people.