by Mitja Kolsek, the 0patch Team
This month's Patch Tuesday included a fix for CVE-2020-1350, a critical memory corruption vulnerability in Windows DNS Server affecting all Windows Server versions from long-unsupported Server 2003 to the latest Server 2019.
After Microsoft's initial announcement and security advisory, the CheckPoint research team published a detailed article about the issue, describing the attack vector and providing enough information for other security researchers to trigger the vulnerability. Just one day later, the first real proof-of-concept was published, developed by Max Van Amerongen (@maxpl0it) from F-Secure Labs, and later several other researchers have shown their own tools triggering the vulnerability.
We can safely assume that offensive teams worldwide are currently trying to develop a reliable arbitrary code execution exploit as they know that Windows Updates take anywhere from long to eternity before getting applied to most Windows Servers out there. Their job will not be trivial, with various exploit mitigations in place on modern Windows servers, but counting on them to fail would be a risky strategy. In addition, many companies are still using Windows Server 2008 machines with no security updates past January this year.
Numerous 0patch customers have one or more Windows 2008 Servers and we wanted to take care of them as quickly as possible. With a working proof-of-concept at hand we could easily create a micropatch for this issue. Let's look at Microsoft's patch first:
The image above shows the difference between vulnerable function SigWireRead (left) and its patched counterpart (right). This function was one of only three functions in dns.exe modified by the July update, and the other two were not relevant for the issue at hand.
Microsoft's patch (gray code blocks) introduced three integer overflow/underflow checks, for one subtraction and two addition operations. When faced with Max's proof-of-concept, it is the third check (the lowest gray code block) that detects the overflow and redirects execution towards function's exit instead of processing the DNS packet further - which would lead to memory corruption.
Our micropatch does logically the same, with one difference - when integer overflow/underflow is detected, it also displays and logs an exploit attempt, allowing admins to know that their server was targeted by an exploit:
MODULE_PATH "..\Affected_Modules\dns.exe_6.1.7601.24437_64bit\dns.exe"
PATCH_ID 456
PATCH_FORMAT_VER 2
VULN_ID 6390
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x4EC89
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT dns.exe!0x4EC68
code_start
push rdi ; push to ensure normal code flow after patch
push rax ; push to ensure normal code flow after patch
;First check
sub rdi, rax
cmp rdi, 0xFFFF
ja ExploitBlocked ; the TCP packet is not valid, jump to Exploit Blocked
;Second check
movzx eax, byte[rsp+30h+2*8] ; added 2*8 to the original offset to compensate for the 2 pushes at the beginning
add ax, 0x14
cmp ax, 0x12
jb ExploitBlocked ; the TCP packet is not valid, jump to Exploit Blocked
;Third check
lea ecx, [rax+rdi]
cmp cx, ax
jb ExploitBlocked ; the TCP packet is not valid, jump to Exploit Blocked
jmp End ; the TCP packet is valid, continue with original code
ExploitBlocked:
pop rax ; restore rax to its previous value
pop rdi ; restore rdi to its previous value
call PIT_ExploitBlocked ; Exploit Blocked pop up
jmp PIT_0x4EC68 ; Exit function, TCP packet not valid
End:
pop rax ; restore rax to its previous value
pop rdi ; restore rdi to its previous value
code_end
patchlet_end
We released our micropatch early afternoon CET today and it got applied to all online computers with 0patch PRO worldwide within 60 minutes without restarting the computer or DNS service.
This is how it looks like when a DNS server is attacked without and with 0patch:
The first instance of our micropatch is targeted at Windows Server 2008 R2 without Extended Security Updates, and we plan to port it to Windows Server 2003 next for our users who are for various reasons still using this unsupported server. [Update 7/20/2020: Micropatch is now ported to 32-bit and 64-bit Windows Server 2003.]
Although free official updates exist for all supported Windows servers, admins may not be able to apply them immediately or restart the computer; for such cases, requests for porting our micropatch to specific versions of dns.exe running on affected computers can be sent to sales@0patch.com.
If you have 0patch Agent with PRO license installed on your Windows Server 2008 R2 or Server 2003 computer, our micropatch is already downloaded and applied to your DNS server. Otherwise, to obtain the micropatch and have it
applied on your
computer(s) along with other micropatches included with a PRO license,
create an account in 0patch Central, purchase a PRO license or request a trial at sales@0patch.com, install 0patch Agent and register it to your account.
Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
To learn more about 0patch, please visit our Help Center.
We'd like to thank Max Van Amerongen (@maxpl0it)
from F-Secure Labs for publishing their analysis and POC, and for
providing additional assistance in triggering the vulnerability and
simplifying our test case, thereby allowing us to create this micropatch for
Windows users without official security updates.