Update on MS15–127 dns.exe exploit trigger

Here’s an update to my prior entry around where we are at.

• The problem does not appear to impact Windows Server 2003.
• The problem appears to be with DNAME lookups.
• It looks like the issue maybe a race condition.
• If you disable recursive lookups, it should offer you some protection, although I cannot fully confirm this yet.
• * Please note it is possible to cause AD DNS servers deep inside corporations to run DNS lookups - for example, send an email to a duff address at a company, from an evil domain name. The Exchange server will return a non-delivery email - which usually uses Active Directory DNS servers to lookup the MX record. At this stage, you would be looking up behind the firewalls.
• It looks like to exploit this condition you would need to be running an Evil DNS Server.
• You can attempt to PoC this by battering an unpatched Microsoft DNS server with invalid DWORD queries, which have a low TTL and are cached. You may be able to crash dns.exe.
• It looks difficult to exploit.
• Microsoft discovered the issue back in August.

We have #ms15127 on irc.freenode.net, if you want to join the exploration of the issue. I have provided multiple dedicated servers to various people.