MS06-041 exposure

  • Thread starter Thread starter msb-2007@nospam.nospam
  • Start date Start date
M

msb-2007@nospam.nospam

Two clarifying questions regarding The DNS Client Buffer Overrun
Vulnerability (CVE-2006-3441) referenced in MS06-041
1) is the DNS server (ie: on Win2000, Win2K) vulnerable in any way if a
client attempts to query an "evil" dns record from an "evil" dns server, or
is this just a dns client resolver issue?
2) if the client passes its DNS query requst to a "good" upstream DNS server
(Windows or otherwise), will that server "pass thru" any potential attack
payload, or can the vulnerability only occur if the client is directly
resolving to a "evil" dns server?

thanks!

-Matt
 
"msb-2007@nospam.nospam" <msb2007nospamnospam@discussions.microsoft.com>
wrote in message news:D407C9EB-DF30-4269-8773-8BE915935341@microsoft.com...
> Two clarifying questions regarding The DNS Client Buffer Overrun
> Vulnerability (CVE-2006-3441) referenced in MS06-041
> 1) is the DNS server (ie: on Win2000, Win2K) vulnerable in any way if a
> client attempts to query an "evil" dns record from an "evil" dns server,
> or
> is this just a dns client resolver issue?

This was a flaw in the DNS client service.
If a DNS server is configured to accept recursive query requests,
so it would contact the upstream DNS servers, i.e. your "evil" one,
the DNS server service does this (that is, it does not use the DNS
client service to do this).

> 2) if the client passes its DNS query requst to a "good" upstream DNS
> server
> (Windows or otherwise), will that server "pass thru" any potential attack
> payload, or can the vulnerability only occur if the client is directly
> resolving to a "evil" dns server?
>

I believe your question is answered in the bulletin. See FAQ section of
http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx
<quote>
Would disabling the DNS client service or configuring the client to use
a specific DNS server mitigate the vulnerability?
No. The vulnerability cannot be mitigated by disabling the DNS client
service or configuring the use of a specific trusted DNS server.
</quote>

Note that a DNS Sever can be configured to provide either recursive
or iterative query resolution services, and that when the dnscache client
service is disabled Windows falls back to use of the older DNS client.
If a DNS Sever knows the answer it replies, else it works the query.
If a DNS Server is not accepting recursive queries it returns to the
client not an answer to the query but a referral telling the client what
DNS server it should contact (i.e. tells your client to go talk to the evil
DNS server) but if it does accept recursive query requests then when
it finally receives the answer from another DNS server that answer is
passed back to the client.
 
Back
Top