Rolling in the Dough: How Microsoft Identified and Remediated a Baker’s Dozen of Security Threats in the Windows DNS Server

Presented at CanSecWest 2024, March 21, 2024, noon (60 minutes).

Print Nightmare has revealed that certain standard groups in Active Directory, including DNS Administrators, often contain a significant number of users in production environments. Consequently, components could be vulnerable to compromise by users in these groups. DNS Admins can access almost a hundred functions in the DNS server remotely over RPC, offering a large attack surface that could lead to RCE on a high-value asset. This talk is a collaboration between the team who identified several vulnerabilities in the Windows DNS Server and the team who fixed them. As a security researcher in the Microsoft Security Response Center, George will discuss the motivations behind exploring this attack surface, the prior research that inspired this work, and the significance of this attack surface for future researchers. Following this, we will reveal a subset of the thirteen vulnerabilities and how we identified the issues. These range from privileged file operations, integer overflows, input validation issues, race conditions, and use-after-frees. We will also explore the proof of concepts to attack these vulnerabilities, which could allow any user in the Domain Admins group to gain arbitrary code execution as SYSTEM on the DNS server. Researchers often have little insight into how their vulnerabilities are fixed. As a member of the Windows Servicing and Delivery team, Arif will shed light on the strategy behind fixing these issues, and individual technical problems with the fixes. He will also highlight the partnership between teams that went into planning the best possible fixes, which included a major overhaul of this component to address both the immediate issues and potential future issues. This research provides insight into Microsoft's approach to new attack surfaces and highlights both the efforts that researchers at Microsoft make to revisit interesting attack surfaces and the concerted efforts to remediate these vulnerabilities.

Presenters:

• George Hughey
  George is passionate about Windows Security and improving the security landscape for all Windows users. Over the past four years as a member of MSRC's Vulnerabilities and Mitigations Team, George has investigated various components in Windows, hunting for and remediating the most pervasive vulnerabilities in the ecosystem.
• Arif Hussain
  Principal software engineer with over 13 years of invaluable experience at Microsoft, I have worked across a diverse range of technologies such as windows print subsystem, Excel, USB, and networking components including DNS, DHCP, and HTTP. The majority of my work currently focuses on enhancing DNS server with new features and keeping DNS server secure and efficient.

Links:

• https://cansecwest2024.sched.com/event/1Zl09/rolling-in-the-dough-how-microsoft-identified-and-remediated-a-bakers-dozen-of-security-threats-in-the-windows-dns-server

Similar Presentations:

• DEF CON 29 (2021) / A new class of DNS vulnerabilities affecting many DNS-as-Service platforms
• Black Hat USA 1999 / Secure DNS solutions
• DeepSec 2018 „I like to mov &6974,%bx“ / DNS Exfiltration and Out-of-Band Attacks