...on Wed, Jul 15, 2020 at 10:55:27AM -0400, Phil Pennock wrote: > For anyone whose organization has some MS Windows servers running a DNS > server, you might care about a CVSS 10.0 wormable Remote Code Execution > vulnerability: > > https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/
I've been wondering if this is exploitable when a Windows DNS server is not able to contact an authoritative server that sends the malicious reply. In the scenario described by Checkopoint in their writeup, it looks as if Windows DNS servers will try to directly ask a cached authority even if they're configured for forwarding: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ Would other nameservers drop a reply where this scheme with pointer compression resulting in a very large Signer's Name field is being used? It doesn't look invalid as such. Alex. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
