Information

  • Vulnerability dubbed SIGRed
  • This crash occurs at dns.exe!SigWireRead+0x9d as a result of a memcpy to unmapped memory.
  • The crash is caused due to RR_AllocateEx allocating memory for much smaller size because of an Integer Overflow in the function’s first parameter (the allocation size).

Stack at crash:

msvcrt!memcpy+0xb4:
00007ffa`47a64a34 660f7f49f0      movdqa  xmmword ptr [rcx-10h],xmm1 ds:00000222`1b068000=????????????????????????????????
msvcrt!memcpy+0xb4
dns!SigWireRead+0x9d
dns!Wire_CreateRecordFromWire+0x15a
dns!Recurse_CacheMessageResourceRecords+0x10fc
dns!Recurse_ProcessResponse+0x590
dns!Answer_ProcessMessage+0x450
dns!Tcp_Receiver+0x792
dns!loadDatabaseAndRunDns+0xd99
dns!startDnsServer+0x434
sechost!ScSvcctrlThreadA+0x22
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Registers:

rax=0000000000000000 rbx=000002221b07fe9d rcx=000002221b068010
rdx=0000000000018a4a rsi=000002221b067390 rdi=000000000000ffaa
rip=00007ffa47a64a34 rsp=00000083ca8ff738 rbp=000002221b07feb1
 r8=0000000000000001  r9=00000000000007a1 r10=000002221b067380
r11=000002221b067467 r12=00007ff7bf349d40 r13=00007ff7bf31b498
r14=0000000000000022 r15=0000000000000800
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
msvcrt!memcpy+0xb4:
00007ffa`47a64a34 660f7f49f0      movdqa  xmmword ptr [rcx-10h],xmm1 ds:00000222`1b068000=????????????????????????????????

PoC:
Public Proof-Of-Concept was released by maxpl0it:
https://github.com/maxpl0it/CVE-2020-1350-DoS



References:
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350