Content
(MS07-029) Microsoft DNS RPC Management Vulnerability (935966)
- Type
- Buffer Overflow
- Impact of exploitation
- Remote Code Execution
- User Interaction
- no user interaction is needed
- Attack Vector
- Malicious remote network traffic
- Rating
- Critical
- CVE reference
- CVE-2007-1748,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Windows 2000 Server SP4,
- Windows 2003 SP1 - SP2,
- Summary
- A vulnerability in the Microsoft Windows DNS Server Service may allow for remote code execution. An attacker does not need to be authenticated in order to exploit this vulnerability.
Tab Navigation
Description
Microsoft Windows DNS Server service is a domain name service daemon included with Windows 2000, XP, 2003, and Vista. A vulnerability in the Microsoft Windows DNS Server Service may allow for remote code execution. Specially crafted RPC traffic sent to this service would compromise the service and allow the attacker full control over a vulnerable machine. An attacker does not need to be authenticated in order to exploit this vulnerability. Windows 2000 and 2003 are affected by this vulnerability.
McAfee Product Mitigation & Recommendations
Recommendations
Download and install the patch available from Microsoft (935966): http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- Windows DNS Server Service RPC Vulnerability (Intrusive)
- Signature identifier:
- 5075
- Release date:
- 4/13/2007
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- Windows DNS Server Service RPC Vulnerability (Credentialed)
- Signature identifier:
- 5076
- Release date:
- 4/13/2007
McAfee Intrushield
This signature provides coverage for this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- DCERPC: Windows DNS Server Service RPC Vulnerability
- Signature identifier:
- 0x47603300
- Release date:
- 4/17/2007
- First released in:
- sigsets 2.1.64.1, 3.1.37.1
McAfee Host IPS
This signature provides coverage for this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
- Signature identifier:
- 3840
- Release date:
- 4/16/2007
- First released in:
- Security Content Update 1090
McAfee Host IPS
Out of the box, HIPS protects against many buffer overflow exploits. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Generic buffer overflow protection
- Signature identifier:
- 428
- Release date:
- 4/16/2007
- First released in:
- 2.0
Additional Resources
Microsoft Security Advisory: Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/935964.mspx
Microsoft Security Bulletin: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
All Information
Timeline -
5/8/2007
Vendor has provided a patch.
4/18/2007
Exploit code has been released.
4/16/2007
An Internet Relay Chat Worm that exploits this vulnerability is found in the wild.
4/15/2007
Exploit code has been released.
4/15/2007
Exploit code has been released.
4/15/2007
Exploit code has been released.
4/14/2007
Exploit code has been released.
4/12/2007
Vendor has provided information on the vulnerability. A targeted attack has been reported.
Description -
Microsoft Windows DNS Server service is a domain name service daemon included with Windows 2000, XP, 2003, and Vista. A vulnerability in the Microsoft Windows DNS Server Service may allow for remote code execution. Specially crafted RPC traffic sent to this service would compromise the service and allow the attacker full control over a vulnerable machine. An attacker does not need to be authenticated in order to exploit this vulnerability. Windows 2000 and 2003 are affected by this vulnerability.
McAfee Product Mitigation & Recommendations
Recommendations -
Download and install the patch available from Microsoft (935966): http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- Windows DNS Server Service RPC Vulnerability (Intrusive)
- Signature identifier:
- 5075
- Release date:
- 4/13/2007
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- Windows DNS Server Service RPC Vulnerability (Credentialed)
- Signature identifier:
- 5076
- Release date:
- 4/13/2007
McAfee Intrushield
This signature provides coverage for this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- DCERPC: Windows DNS Server Service RPC Vulnerability
- Signature identifier:
- 0x47603300
- Release date:
- 4/17/2007
- First released in:
- sigsets 2.1.64.1, 3.1.37.1
McAfee Host IPS
This signature provides coverage for this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
- Signature identifier:
- 3840
- Release date:
- 4/16/2007
- First released in:
- Security Content Update 1090
McAfee Host IPS
Out of the box, HIPS protects against many buffer overflow exploits. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Generic buffer overflow protection
- Signature identifier:
- 428
- Release date:
- 4/16/2007
- First released in:
- 2.0
Additional Resources
Additional Resources -
Microsoft Security Advisory: Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/935964.mspx
Microsoft Security Bulletin: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx
