 All right, Tom here from Orange Systems and I have a special guest Xavier D. Johnson with Enterprise Offensive Security We have to talk about this windows DNS false. I needed someone smart and cyber security to help me with this We you know, it's 10 out of 10 bad You hear things like warm a bowl and you're like hold on Hold on Windows is starting starting to scare me a little bit here, but it may not be as bad as we think Right. Well, I hope so. So I'm gonna rely on a little expertise here. So that's why Xavier's here I'll leave a link to how you can find his channel information about him down below But let's dive into this Mess that is the cigarette. I think that's what has been called right cigarette. Yeah cigarette and it's funny I love the name of it. Yeah I mean because if you understand the bug then you understand the the severity of the name Yes, and we'll start with what is cigarette specifically calling to a signature record used in six zero RFC 2931 and Tiki blah blah blah. So we're looking at here is the signatures within DNS so you have a domain that domain has name servers attached to it and You know, for example, Lawrence systems comm and then there's NS dot Lawrence technology comm I think our NS one is our name server Now if I were to craft a payload into mine because I control my name servers So I can put whatever I want in this particular slot So to speak in the DNS and it turns out if you put something big enough in there Microsoft will think it's executable It starts to flow over into another part another piece of memory that it shouldn't And so it seems like you could just put a payload as a DNS record Yeah, and that's not how it should work. You should always sanitize your input So when you're reading something, especially out of the public space that is the internet where anyone can put anything in a record Proper coding and someone wasn't thinking about this about 17 years ago Yeah, it it basically allows this in there now I know some of you're going well good news my windows DNS server isn't publicly facing so I should be safe But that's actually not true either The exploit works by if you have a windows active directory set up and your hosts are all connected to that act directory that Pretty much means that windows server is acting as a DNS So any one of your clients no matter what level of protection they put on there They send their queries over to your Microsoft server and then it reaches out and grabs the well What could be a payload in the name server record and that's where the exploit problem comes in Yeah, and I mean this is the reason why you would use sig to begin with is To address the it's a need for DNS sec as far as I know. Yes. So just imagine you're trying to you're trying to You're trying to use security against security, right? So I mean, it's not necessarily that the DNS of Windows or Microsoft itself is vulnerable as much as it is the implementation of reading these records From the DNS. Yes. So the concept of DNS sec was to Establish like a better authority so we don't man in the middle of something. So we have a secure line Between making sure all right this name server is properly Tom's name server for his website So we know that the name server in a website and it's all working together We're gonna deliver you Validated records to make sure that this is the website you're going to but of course adding these extra signatures was the extra coding That meant we have to put signatures in there And we should these are like essentially security certificates that they put in there for validation. Yeah, there's a signature and there's a key Yeah, and but there apparently is also the buffer overflow. So what they're doing here is And how many times doing security research is this where you start poking and looking? I mean anytime you got input and output that's when you're supposed to that's where the rubber meets the road for security And if you're an aspiring researcher any time you figure out that a system is receiving data and or giving data That's where those are your sweet spots. So somebody thought about this and said hmm How is the domain? Actually handling DNS. I wonder if I can pass more data than what can be handled In that in the runtime when they're calling out the signature and here you go you get a you get a yeah heat-based buffer overflow and First starts usually you the first thing it happens when you've overrun the data is it crashes But the crash is the first indicator into will it crash but we spot Yeah, let's keep fuzzing away at it until we find out where the executable is and that's how we can start delivering a payload Into it and actually get the server to run something right it's called control flow right and if you can get you can actually Gain control over the flow of the runtime or the execution of a program then you own the program right because you're saying hey By the way go to this next memory address for your next instruction And if I own that memory address and I can actually send whatever instructions I like And that's where it gets scary because DNS is a server level function. So you get full system You know system you're running at the lowest or I should say highest level Functionality in windows, you know the ring zero lowest ring zero Yeah, and that's where you want to be because now you have control So once you've decided to execute something whatever you have executed in there Executes with that same level of permission at the DNS server runs out and all this is being done The users completely unaware of it because it actually doesn't affect the user's workstation. It directly attaches to the server It's executing at the server level not the workstation level right and that's where this really gets interesting right you're talking about a User a single user in your network in your environment being able to compromise the server upstream from it That actually affects the arrest of the organization So no longer are you worried about just a simple, you know ransomware on a single end point that may be able to be Contained to that single device depending on how you have your network set up You're talking about an entire complete network compromise from the click of the link or just from visiting a page potentially Yeah, and this is it's a really scary concept on there I mean attacking the DNS like this someone had asked me about why this is why this wasn't found earlier than 17 years and There has been other exploits. I know unbound I covered before I think in another video where unbound had a very similar one Where they found out there was a buffer overrun Under certain conditions which good news is I don't think for most systems It was a default condition But that in the Linux world was a similar problem where unbound would read the same thing It was DNS sex signatures Somewhere related in that area and someone found out an overflow because it is scary because the user goes all I did was go To the website and they there's not even a trail left on the user other than if you have to know the website to deliver the payload But I mean the hackers leave that evidence for you I mean in the world with malicious advertising and the fact that you know I could put a malicious add-on to a legitimate site and take advantage of this Vulnerability just for you visiting the site and that DNS being resolved on your network That's very very dangerous Yeah, so the Checkpoint research is some really good. I mean, we're not gonna go through every little bit of it But you can tell I'm like halfway down the page They walk you through each little piece of exactly how this is done, which I thought was great how they break it down It's really solid research, but it also goes to show something I brought for is why doesn't it find for 17 years? It's also because this is how much work it was to find this Right and There's definitely there's definitely a few more of these bugs hanging out out there Just kind of waiting wait wait for me to have found Zero days and I mean, you know you talk about the zero-day thing This is that and who's to say that this hasn't been used in campaigns before Where just people are being compromised from using this exact bug? I can tell you this there will be patches that come out. There'll be some people that don't patch They will be compromised due to this bug. I mean, we just can guarantee you that a 10 out of 10 warmable Windows 10 bug is going to be abused Yeah, we're gonna definitely see this use well in the other side that's gonna happen on this is Because this is so old this affects really old versions that are all well long past support long past patching But obviously still in use and I know when no one's turning off that 2003 server because it works No, so just a matter of time for someone releases a series of you know ads or whatever they want to start You know blanketing out this and getting users to click on it a couple malicious well-placed ads to weird domains I mean, you don't even really got to go that far if you got a Raspberry Pi And you can get somebody on your network and then do captive portal. Yeah Then you just force someone's device to actually connect to a network and then force their device to send traffic to a place That may have this vulnerability. So Become patch For this is patch or don't use Windows DNS. There's the only two Options now another question to come up I seen a few people actually asked me this was well Why do they release this research and the patch and the reason why it's really simple How many how many bad actors are watching patch Tuesday, which was yesterday or is that yesterday was patched yesterday All of them all of them. They would have found this anyways. They would have said So making I mean and if you and if you look at Win Bend X W. I n b i n d e x and you can pull this up If you want, I'm not sure if you've ever heard of this before but when Win Bend X is a Tool that allows you to be able to find all of the different binaries that were changed based on Windows updates If you give it a go if you want to share your window and pull that up for the people It's really interesting I just discovered it about two days ago and it's funny because literally a day before patch Tuesday And it's also funny You actually shared a link is it patched Tuesday and that was redirecting potentially at some point I'm not sure why but you talk about the ability to be able to get into traffic What's the domain again? Win Bend X. Yep. Be I n like binary. Why am I? Why am I thinking that? And there you go Yep, that's it. So, I mean, I'm not you know the most Windows-friendly person, but I can tell you that you know, even if you want to click on that blog post down there And I could tell you that this will be used and is used for you to be able to get a better understanding of What is coming out of these updates, right? And so something like, you know reverse engineering a patch It's becoming easier and easier and lower hanging fruit than ever and they're using tools. This isn't my skill set like Right Getting a list of updates how they do it. This is yeah, here's how you grab them and then okay They have some pretty simple instructions. I'll have to check this site out. That's pretty neat So yeah, if you want to give that one file a look. What was it? SIG Can't think of the exact DLL. Oh, they have a listen here. Look look at that Just type in SIG and see what pops up and then scroll down to the SS SIG Sign in control nothing yet. So it's probably a matter of time before you type in SIG and Either way, yeah, I mean, it's pretty powerful to find something. Oh, wow And when you can download the vulnerable version just in case you want to have a back door back into some systems, right? Oh, well, let me just replace this one DLL with this other DLL and it's not like Windows is going to say hey By the way, that's a malicious malware Yeah Yeah, if you're living off the land and just doing it that way and you're just replacing some because you're replacing it With a known good. So it actually would pass signature. So if you were actually I use it I get the I get what you're saying. You could actually unpatch a system, which is I guess super scary If you unpatch a system Microsoft may not realize a file was changed. So you gained access you unpatched it I mean, it's hard to gain access if it's patched, but then you can further unpatch a system So one patch leads to let me unpatch a few more things Yeah, especially if I have like domain admin and I'm doing stuff like pushing GPO and I may come up with a Nice whip you do one liner to make your entire network vulnerable by just replacing one single DLL a part of my campaign Right, we're talking about advanced persistent threats. We're talking about targeted things So maybe I'm in there for six months just trying to get you to you know Just trying to get you to the holiday season so I can get you to the one page To get domain admin right or to further my access or whatever, right? And this is why I had you on here. This is what you do for a living So you're you go like those next layers deep. You're like, I've been a network for six months And you and to be full disclosure Xavier spends time reversing this and undoing hacks that people I mean, I Spend in both I spend side on both sides of the coin, right? So I have some customers that come to me that are breached hair on fire And then I have the majority of my customers come to me that have already been breached and they're like Hey, I never want to go through that again. Can you please help me? And then we work with them to put together a plan so that they can keep an eye on on things, right? Like there's no foolproof method to stopping You know attackers or attacks insider or external But what you can do is develop a program a security program within your organization that addresses these risks and then Document the ways that you've addressed these risks and continue to make those living documents and say hey You know as threats emerge We're going to need to add on to these policies to make sure that we're accountable and that we're being held accountable For all of the you know the potential risks that are exposed, right? I mean something as simple as a proxy may be able to save you from a You know attack like this or the single one liner that can be run that you know Sets the maximum size for DNS records. Yeah Little things like that. And I think the biggest thing is probably the when you have done the security audit It's almost always they're Unpatched like from last year not last week. So Most of it is There's a value in the security audit. It's not like you didn't patch from yesterday's patch Tuesday It's like last year's patch Tuesday. Yeah, you skipped a few and I think it's what people I think the There's a few every year. They do those, you know, what got breached like overused for a year and most exploits were ones that were over I think 50% of which are ones that are over a year old or the ones used. So sure. Yeah, a lot of my a lot I mean two thousand exploits from 2014 are still valid And then you also got to think about like beyond exploits, right as a security practitioner as a red teamer, right? I get to do things that aren't necessarily just find a service and exploit it I get to move laterally, right? So there's and there's some times where you'll make one compromise and then a Misconfiguration is the way that I'll get domain admin, right? And so like you may have had that one week service or you may have had that one person that clicked on the link And when I got on their host the rest of your network was flat You didn't use MFA to your services. You didn't proxy off all of your sensitive things I was able to go from, you know, east to west very easily Yeah, that ladder movement is important because I know there's a lot of companies that the letter one becomes easy And this is something we've helped is because of the flat network problem. They go well, it's behind the firewall So it's okay the way the 2003 server like no you need to segment that off to yet another one So your general users that don't need access to it Which is usually you're running it because you have some particular piece of software But that whole software net whole thing should all be in its own container that way if The general person in accounting clicks on something you don't get that ladder movement This is it still there's ways to protect against it So it is doom and gloom in terms of this particular bug We're talking about but if you have an overall security plan So we help prevent some of that, you know east-west movement your life's gonna be a lot better Exactly. I mean I've had customers that I've had ransomware events where one endpoint got ransom and I'm like Bravo, and they're like it by the way We got you know, I drive and we got these other ways for us to be able to look at when files get changed And we audit this and you know So and they still had things that they could have done better and can still do better And that's how they get to that next level of hardening where they're like, hey, we survived and What what our competitors may die from right? Yeah And so it validates the spin on security at that point and sometimes that's what it takes Is for you to go through a breach and actually see that the things that you're doing is are working, right? Like when Tom lets me on his network and I start pinging around and then he goes. Hey, I got our watch on So I see what you're doing and also I got I got tour blocks. So what was happening, right? You know those little small pieces slow a person like me down. I'm like Forget Tom's rack. I want to go find Steve's computer because I know Steve has like some special VPN That'll let me do other stuff It is kind of fun and this is why you know so much of what I've talked about on my channel is a lot of that And Xavier talked about the other side the tooling side on his channel So I'll leave links where you can find out more about Xavier and his in his company things like that and of course links to the code red and the bottom line in If you're looking for what the immediate thing is patch and once you're done patching because if you don't even finish This video if you're not patched Get that done Once you're done with that start talking about security plans start putting some thoughts on it and segment your network and be safe Out there, man. It's a it's a scary world. So we're gonna get back to work Yes patching and uh, I got new hardware done. I'm playing with Yep. Yep. We got some new lab builds. So you're gonna be start seeing a lot more from Xavier Um, I'm help that's what me and him are gonna be back to and too is we have the I see all new servers And back there. So we're gonna Shiny all right. Thanks Thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up if you'd like to see more content from the channel Hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out If you'd like to hire us head over to laurance systems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you. And once again, thanks for watching and see you next time