本文为看雪论坛精华文章
看雪论坛作者ID:蝶澈——
漏洞简讯
2020年7月,微软公开发布了Windows DNS Server远程代码执行漏洞,漏洞编号为CVE-2020-1350,该漏洞影响 2003 到 2019 年发布的所有 Windows Server 版本,CVSS 评分为满分 10 分。
微软在公告中指出,该漏洞可引发蠕虫式传播。Windows DNS Server 在处理特制的 SIG 响应包时,存在远程代码执行漏洞,未经身份验证的攻击者可通过维护一个域名并设置指向恶意服务器的 NS 记录,通过向目标 DNS 服务器查询该域名的 SIG 来利用此漏洞,成功利用此漏洞的远程攻击者可在目标系统上以 SYSTEM 账户权限执行任意代码。
经研判,该漏洞无需交互、不需要身份认证且 Windows DNS Server 默认配置可触发。目前,互联网上已出现该漏洞相关细节、POC 以及漏洞利用视频。
漏洞分析
此漏洞公开后,Check Point 发布了相关的分析文章,传送门:
_BYTE *__fastcall SigWireRead(__int64 a1, __int64 pMsg, __int64 pchData, unsigned __int16 a4)
{
__int64 v4; // rbx
unsigned __int64 pchEnd; // rdi
unsigned __int8 *signameData; // r8
unsigned __int8 *v7; // rax
unsigned __int8 *v8; // rbp
size_t sigLength; // rdi
_BYTE *v10; // rax
_BYTE *v11; // rsi
unsigned __int8 nameSigner; // [rsp+30h] [rbp-138h]
v4 = pchData;
pchEnd = pchData + a4;
signameData = (unsigned __int8 *)(pchData + 0x12);
if ( (unsigned __int64)signameData >= pchEnd )
return 0i64;
v7 = Name_PacketNameToCountNameEx(&nameSigner, pMsg, signameData, pchEnd)
v8 = v7;
if ( !v7 )
return 0i64;
sigLength = pchEnd - (_QWORD)v7;
v10 = RR_AllocateEx((unsigned __int16)sigLength + (unsigned __int16)nameSigner + 0x14, 0, 0); //整数溢出
v11 = v10;
if ( !v10 )
return 0i64;
*(_OWORD *)(v10 + 0x38) = *(_OWORD *)v4;
*((_WORD *)v10 + 0x24) = *(_WORD *)(v4 + 0x10);
Name_CopyCountName(v10 + 0x4A, &nameSigner);
memcpy(&v11[(unsigned __int8)v11[0x4A] + 0x4C], v8, sigLength); //堆溢出
return v11;
}
0:001> db r8
000002ea`760b445d c0 0c 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:001> r rcx
rcx=000000f775b7f1f0
0:001> p
dns!SigWireRead+0x41:
00007ff7`a9daf911 488be8 mov rbp,rax
0:001> db rcx // &nameSigner
000000f7`75b7f1f0 0f 02 09 79 79 79 79 79-79 79 79 74 03 66 75 6e ...yyyyyyyyt.fun
000000f7`75b7f200 00 be 6c 75 ea 02 00 00-00 00 00 00 00 00 00 00 ..lu............
0:001> u rip l6
dns!SigWireRead+0x4e:
00007ff7`a9daf91e 482bf8 sub rdi,rax
00007ff7`a9daf921 6683c114 add cx,14h
00007ff7`a9daf925 33d2 xor edx,edx
00007ff7`a9daf927 6603cf add cx,di
00007ff7`a9daf92a 4533c0 xor r8d,r8d
00007ff7`a9daf92d e8263c0800 call dns!RR_AllocateEx (00007ff7`a9e33558)
0:001> r cx
cx=f
0:001> ? rdi-rax
Evaluate expression: 65472 = 00000000`0000ffc0
0:001> ? cx + ffc0 + 14 //无法整数溢出
Evaluate expression: 65507 = 00000000`0000ffe3
0:001>
dns!Name_PacketNameToCountNameEx+0xdd:
00007ff7`a9d74f55 493bf6 cmp rsi,r14
0:001> ub rip
dns!Name_PacketNameToCountNameEx+0xbb:
00007ff7`a9d74f33 4c8d46ff lea r8,[rsi-1]
00007ff7`a9d74f37 0fb606 movzx eax,byte ptr [rsi]
00007ff7`a9d74f3a 488db530190000 lea rsi,[rbp+1930h]
00007ff7`a9d74f41 440fb6ca movzx r9d,dl
00007ff7`a9d74f45 6641c1e108 shl r9w,8
00007ff7`a9d74f4a 66440bc8 or r9w,ax
00007ff7`a9d74f4e 410fb7c1 movzx eax,r9w
00007ff7`a9d74f52 4803f0 add rsi,rax //rax=0xd
0:001> db rsi l40
000002ea`760b442d 39 09 79 79 79 79 79 79-79 79 74 03 66 75 6e 00 9.yyyyyyyyt.fun.
000002ea`760b443d 00 18 00 01 c0 0c 00 18-00 01 00 00 00 00 ff d2 ................
000002ea`760b444d 00 01 05 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002ea`760b445d 00 00 c0 0d 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:001> gu //函数返回
dns!SigWireRead+0x41:
00007ff7`a9daf911 488be8 mov rbp,rax
0:001> db rcx l40 // &nameSigner
000000f7`75b7f1f0 3b 01 39 09 79 79 79 79-79 79 79 79 74 03 66 75 ;.9.yyyyyyyyt.fu
000000f7`75b7f200 6e 00 00 18 00 01 c0 0c-00 18 00 01 00 00 00 00 n...............
000000f7`75b7f210 ff d2 00 01 05 00 00 00-00 00 00 00 00 00 00 00 ................
000000f7`75b7f220 00 00 00 00 c0 0d 00 00-00 00 00 00 00 7f 00 00 ................
0:001> u rip l6
dns!SigWireRead+0x4e:
00007ff7`a9daf91e 482bf8 sub rdi,rax
00007ff7`a9daf921 6683c114 add cx,14h
00007ff7`a9daf925 33d2 xor edx,edx
00007ff7`a9daf927 6603cf add cx,di
00007ff7`a9daf92a 4533c0 xor r8d,r8d
00007ff7`a9daf92d e8263c0800 call dns!RR_AllocateEx (00007ff7`a9e33558)
0:001> r cx
cx=3b
0:001> ? cx + rdi - rax + 14 //整数溢出
Evaluate expression: 65549 = 00000000`0001000d
……
0:001>
dns!SigWireRead+0x5d:
00007ff7`a9daf92d e8263c0800 call dns!RR_AllocateEx (00007ff7`a9e33558)
0:001> r rcx
rcx=000000000000000d
//dns!Mem_Alloc
00007ff7`a9e32f3a 3b3dfc850a00 cmp edi,dword ptr [dns!StandardAllocLists+0xc (00007ff7`a9edb53c)]
00007ff7`a9e32f40 488d1de9850a00 lea rbx,[dns!StandardAllocLists (00007ff7`a9edb530)]
00007ff7`a9e32f47 760c jbe dns!Mem_Alloc+0xe9 (00007ff7`a9e32f55)
00007ff7`a9e32f49 488bc3 mov rax,rbx
00007ff7`a9e32f4c 4883c358 add rbx,58h
00007ff7`a9e32f50 3b7864 cmp edi,dword ptr [rax+64h] ds:00007ff7`a9edb594=00000068
0:001> dq dns!StandardAllocLists + 58
00007ff7`a9edb588 000002ea`758c5b18 00000068`00000001 // 0x68 大小的 AllocLists
00007ff7`a9edb598 0000000b`00000027 0000009c`00000004
00007ff7`a9edb5a8 0000004e`000000df 00000000`00003f60
00007ff7`a9edb5b8 ffffffff`ffffffff 00000000`ffffffff
00007ff7`a9edb5c8 00000000`00000000 00000000`00000000
00007ff7`a9edb5d8 00000000`00001388 000002ea`752c5098 // 0x88 大小的 AllocLists
00007ff7`a9edb5e8 00000088`00000002 00000004`0000001e
00007ff7`a9edb5f8 000000d2`00000007 00000021`000000ef
0:001> gu
dns!SigWireRead+0x62:
00007ff7`a9daf932 488bf0 mov rsi,rax
0:001> db rax-10 // 分配到 0x2ea758c5b18,长度为 0x68
000002ea`758c5b18 1c 00 00 00 bb 1a 69 00-ef 0c 0c 0c 0c 0c 0c fe ......i.........
000002ea`758c5b28 00 00 00 00 00 00 00 00-00 80 00 00 00 00 0d 00 ................
000002ea`758c5b38 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002ea`758c5b48 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002ea`758c5b58 00 00 00 00 00 00 00 00-18 04 02 62 30 03 6f 72 ...........b0.or
000002ea`758c5b68 67 0b 61 66 69 6c 69 61-73 2d 6e 73 74 03 6f 72 g.afilias-nst.or
000002ea`758c5b78 67 00 00 00 00 00 00 00-00 00 00 00 ee 22 69 00 g............"i.
000002ea`758c5b88 e8 5b 8c 75 ea 02 00 00-ef 0b 0b fe ef 0b 0b fe .[.u............
0:001>
dns!SigWireRead+0x98:
00007ff7`a9daf968 e8324c0d00 call dns!memcpy (00007ff7`a9e8459f)
0:001> db 2ea`758c5b18
000002ea`758c5b18 1c 00 00 00 bb 1a 69 00-ef 0c 0c 0c 0c 0c 0c fe ......i.........
000002ea`758c5b28 00 00 00 00 00 00 00 00-00 80 00 00 00 00 0d 00 ................
000002ea`758c5b38 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002ea`758c5b48 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000002ea`758c5b58 00 00 00 00 00 00 00 00-00 01 05 00 00 00 00 00 ................
000002ea`758c5b68 00 00 00 00 00 00 00 00-00 00 3b 01 39 09 79 79 ..........;.9.yy
000002ea`758c5b78 79 79 79 79 79 79 74 03-66 75 6e 00 00 18 00 01 yyyyyyt.fun..... //已经溢出了
000002ea`758c5b88 c0 0c 00 18 00 01 00 00-00 00 ff d2 00 01 05 00 ................
0:001> r r8 //但还是要复制0xffbe长度的数据
r8=000000000000ffbe
0:001> p
(868.8fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
msvcrt!memcpy+0xb4:
00007fff`98f74a34 660f7f49f0 movdqa xmmword ptr [rcx-10h],xmm1 ds:000002ea`758cb000=????????????????????????????????
漏洞利用
0:019> db 17ef599f300 lfa0
0000017e`f599f300 00 00 00 00 00 00 00 00-42 71 5e fc f9 36 db 10 ........Bq^..6..
0000017e`f599f310 70 b7 65 e7 bb 22 a3 00-ef 0c 0c 0c 0c 0c 0c fe p.e.."..........
0000017e`f599f320 00 00 00 00 00 00 00 00-61 80 10 00 18 00 57 00 ........a.....W.
0000017e`f599f330 57 02 00 00 57 02 00 00-00 00 00 00 01 00 00 00 W...W...........
0000017e`f599f340 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`f599f350 00 00 00 00 00 00 00 00-00 01 05 00 00 00 00 00 ................
0000017e`f599f360 00 00 00 00 00 00 00 00-00 00 16 03 06 73 70 5f .............sp_
0000017e`f599f370 31 31 35 09 79 79 79 79-79 79 79 79 74 03 66 75 115.yyyyyyyyt.fu
0000017e`f599f380 6e 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 n...............
0000017e`f599f390 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`f599f3a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`f599f3b0 00 00 00 00 bb 22 a3 00-ef 0c 0c 0c 0c 0c 0c fe ....."..........
0000017e`f599f3c0 00 00 00 00 00 00 00 00-61 80 00 00 18 00 57 00 ........a.....W.
0000017e`f599f3d0 57 02 00 00 c7 19 00 00-00 00 00 00 01 00 00 00 W...............
0000017e`f599f3e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`f599f3f0 00 00 00 00 00 00 00 00-00 01 05 00 00 00 00 00 ................
0000017e`f599f400 00 00 00 00 00 00 00 00-00 00 16 03 06 73 70 5f .............sp_
0000017e`f599f410 31 31 36 09 79 79 79 79-79 79 79 79 74 03 66 75 116.yyyyyyyyt.fu
0000017e`f599f420 6e 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 n...............
0000017e`f599f430 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`f599f440 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`f599f450 00 00 00 00 bb 22 a3 00-ef 0c 0c 0c 0c 0c 0c fe ....."..........
0000017e`f599f460 00 00 00 00 00 00 00 00-61 80 00 00 18 00 57 00 ........a.....W.
0000017e`f599f470 57 02 00 00 c7 19 00 00-00 00 00 00 01 00 00 00 W...............
0000017e`f599f480 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`f599f490 00 00 00 00 00 00 00 00-00 01 05 00 00 00 00 00 ................
......
// DNS!RR_Free
v4 = *(_WORD *)(v1 + 0xC);
if ( v4 != 2 && v4 != 6 && (unsigned __int16)(v4 + 0xFF) > 1u || (v5 = *(_WORD *)(v1 + 0xA), v5 & 0x200) )
{ ...... }
else
{
*(_WORD *)(v1 + 0xA) = v5 | 0x200;
Timeout_FreeWithFunctionEx(v1, (__int64)RR_Free, (__int64)"nanoserver\\ds\\dns\\server\\server\\record.c", 168);
_InterlockedAdd(&dword_1401CCF4C, 1u);
}
//DNS!Timeout_FreeWithFunctionEx
if ( rr_object )
{
v4 = (CHAR *)a3;
v5 = (void *)rr_free;
v6 = a4;
v7 = (void *)rr_object;
......
v8 = (DnsTimeoutObject *)Mem_Alloc(0x28, 7i64, (__int64)"nanoserver\\ds\\dns\\server\\server\\timeout.c", 1619);
v9 = v8;
if ( v8 )
{
v8->Tag = 0xDE1AEDFE;
v8->pItem = v7; //偏移0x8处设置需要释放的对象指针
v8->pFreeFunction = v5; // 偏移0x10处设置RR_FREE函数指针
v8->pszFile = v4;
v8->LineNo = v6;
//DNS!Timeout_CleanupDelayedFreeList
if ( v5->pFreeFunction )
{
_InterlockedIncrement(&dword_1401DB464)
((void (__usercall *)(__int64 (*)(void)@<rcx>))v5->pFreeFunction)((__int64 (*)(void))v6->pItem);
}
else
{
Mem_Free((_QWORD *)v6->pItem, 0i64, 0i64, (__int64)"nanoserver\\ds\\dns\\server\\server\\timeout.c", 571);
}
0:021> db 17e`f599f630 l50
0000017e`f599f630 00 00 00 00 bb 07 50 00-ef 0c 0c 0c 0c 0c 0c fe ......P.........
0000017e`f599f640 10 16 03 e7 7e 01 00 00-70 9f 02 e7 7e 01 00 00 ....~...p...~...
0000017e`f599f650 b0 4a e4 d8 f7 7f 00 00-b8 9f f6 d8 f7 7f 00 00 .J..............
0000017e`f599f660 fe ed 1a de a8 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`f599f670 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:021> u 7ff7`d8e44ab0 //偏移 0x10 处(不包括头部)的函数指针
dns!RR_Free:
00007ff7`d8e44ab0 4885c9 test rcx,rcx
00007ff7`d8e44ab3 0f8434020000 je dns!RR_Free+0x23d (00007ff7`d8e44ced)
00007ff7`d8e44ab9 48895c2408 mov qword ptr [rsp+8],rbx
00007ff7`d8e44abe 48896c2410 mov qword ptr [rsp+10h],rbp
00007ff7`d8e44ac3 4889742418 mov qword ptr [rsp+18h],rsi
00007ff7`d8e44ac8 57 push rdi
00007ff7`d8e44ac9 4154 push r12
00007ff7`d8e44acb 4156 push r14
0:021> db 17e`e7029f70-10 //偏移 0x8 处的一个 SOA 对象指针
0000017e`e7029f60 00 00 00 00 bb 22 8a 00-ef 0c 0c 0c 0c 0c 0c fe ....."..........
0000017e`e7029f70 00 00 00 00 00 00 00 00-61 80 10 22 06 00 2d 00 ........a.."..-.
0000017e`e7029f80 ae 01 00 00 ae 01 00 00-00 00 00 00 01 00 00 00 ................
0000017e`e7029f90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`e7029fa0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0000017e`e7029fb0 00 00 00 00 00 00 00 00-00 00 00 00 01 00 00 14 ................
0000017e`e7029fc0 03 04 73 70 5f 30 09 79-79 79 79 79 79 79 79 74 ..sp_0.yyyyyyyyt
0000017e`e7029fd0 03 66 75 6e 00 00 00 00-00 00 00 00 00 00 00 00 .fun............
总 结
参考链接
看雪ID:蝶澈——
https://bbs.pediy.com/user-home-701197.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!