Rolling in the Dough: How Microsoft Identified and Remediated a Baker’s Dozen of Security Threats in the Windows DNS Server

Print Nightmare has revealed that certain standard groups in Active Directory, including DNS Administrators, often contain a significant number of users in production environments. Consequently, components could be vulnerable to compromise by users in these groups. DNS Admins can access almost a hundred functions in the DNS server remotely over RPC, offering a large attack surface that could lead to RCE on a high-value asset.

This talk is a collaboration between the team who identified several vulnerabilities in the Windows DNS Server and the team who fixed them. As a security researcher in the Microsoft Security Response Center, George will discuss the motivations behind exploring this attack surface, the prior research that inspired this work, and the significance of this attack surface for future researchers.

Following this, we will reveal a subset of the thirteen vulnerabilities and how we identified the issues. These range from privileged file operations, integer overflows, input validation issues, race conditions, and use-after-frees. We will also explore the proof of concepts to attack these vulnerabilities, which could allow any user in the Domain Admins group to gain arbitrary code execution as SYSTEM on the DNS server.

Researchers often have little insight into how their vulnerabilities are fixed. As a member of the Windows Servicing and Delivery team, Jay Arif will shed light on the strategy behind fixing these issues, and individual technical problems with the fixes. He will also highlight the partnership between teams that went into planning the best possible fixes, which included a major overhaul of this component to address both the immediate issues and potential future issues.

This research provides insight into Microsoft's approach to new attack surfaces and highlights both the efforts that researchers at Microsoft make to revisit interesting attack surfaces and the concerted efforts to remediate these vulnerabilities.

 

About the Presenter: George Hughey

George is passionate about Windows Security and improving the security landscape for all Windows users. Over the past four years as a member of MSRC's Vulnerabilities and Mitigations Team, George has investigated various components in Windows, hunting for and remediating the most pervasive vulnerabilities in the ecosystem.

 

About the Presenter: Arif Hussain

Principal software engineer with over 13 years of invaluable experience at Microsoft, I have worked across a diverse range of technologies such as windows print subsystem, Excel, USB, and networking components including DNS, DHCP, and HTTP. The majority of my work currently focuses on enhancing DNS server with new features and keeping DNS server secure and efficient.

 

One of the original presenters, Jay Ladhad, couldn’t attend the conference, Arif Hussain will be co-presenting in his stead.

About the Presenter: Jay Ladhad

Jay is a programming enthusiast and currently focusing on the networking area, specifically DNS server/client and DHCP server/client communication. He works on the Windows DNS Server and overlooks its security and feature development. Over the past two years, Jay has spent a lot of time designing and improving Windows DNS Server to be robust, secure, and efficient.

Previous
Previous

Successfully Fuzzing High Value Targets with Low tech Strategies

Next
Next

Rooting Android Devices in One Shot: Simple Bug, Complex Exploit (incl. Memory Tagging Extension)