-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://corelabs.coresecurity.com/

Windows SMTP Service DNS query Id vulnerabilities



1. *Advisory Information*

Title: Windows SMTP Service DNS query Id vulnerabilities
Advisory Id: CORE-2010-0427
Advisory URL:
[http://www.coresecurity.com/content/CORE-2010-0424-windows-smtp-dns-query-id-bugs]
Date published: 2010-05-04
Date of last update: 2010-05-04
Vendors contacted: Microsoft
Release mode: User release



2. *Vulnerability Information*

Class: Predictable from Observable State [CWE-341], Insufficient
Verification of Data Authenticity [CWE-345]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-1689, CVE-2010-1690
Bugtraq ID: 39908, 39910



3. *Vulnerability Description*

DNS spoofing and cache poisoning attacks have been known security
threats that result from design weaknesses of the DNS protocol since the
early 1990s as described by Christopher Schuba [1] and Paul Vixie [2].
In 1997 a practical implementation of a blind remote DNS cache poisoning
attack that relies solely on exploiting the predictability of the ID
field of DNS query packets was described by Arce and Kargieman [3]. This
was followed up by further refinements and advancement of attack
techniques by Vagner Sacramento [4] and Joe Stewart [5] in 2002. Amit
Klein further investigated query Id predictability in BIND version 9[6]
and Windows DNS[7] server implementations in 2007. In 2008 a much
publicized advancement of the DNS cache poisoning technique was
disclosed by Dan Kaminsky [8] in conjunction with the release of
security fixes by several vendors. Microsoft's MS08-037
[http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx]Security
Bulletin addressed those DNS spoofing techniques in Windows DNS client
and server software.

In light of the 16-year saga of discovery and refinement of DNS
poisoning attacks and protection techniques in January 2009 the Internet
Engineering Task Force published RFC5452 with guidelines to make DNS
more resilient against forged answer attacks.[9]

While researching the fixes issued by Microsoft in Microsoft's Security
Bulletin MS10-024
[http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx]
published April 13, 2010 Nicolas Economou discovered two vulnerabilities
in Windows SMTP Service and Microsoft Exchange . These vulnerabilities
were fixed by the patches referenced in MS10-024 but were not disclosed
in the vendor's security bulletin and did not have an unique
vulnerability identifier assigned to them. As a result, the guidance and
the assessment of risk derived from reading the vendor's security
bulletin may overlook or misrepresent actual threat scenarios.
 Nicolas found that the Windows SMTP Service does its own DNS resolution
of MX records rather that use the DNS resolver from the operating system
while investigating CVE-2010-0024
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0024].
Furthermore, he found that the patch referenced in MS10-024 fixed two
severe bugs that were not disclosed as such in the bulletin and had no
CVE identifiers assigned to them. Basic analysis of the vulnerabilities
disclosed in this advisory indicates that the threat of DNS spoofing
attacks against Windows SMTP service and Microsoft Exchange or of
exploitation of CVE-2010-0024 was underestimated in MS10-024.
 An attacker may leverage the two previously undisclosed vulnerabilities
fixed by MS10-014 to spoof responses to any DNS query sent by the
Windows SMTP service trivially. DNS response spoofing and cache
poisoning attacks are well known to have a variety of security
implications with impact beyond just Denial of Service and Information
Disclosure as originally stated in MS10-024.
 As a result the importance of deploying MS10-024 patches may be
miss-represented in the vendor's security bulletin. Organizations using
vulnerable packages should consider re-assessing patch deployment
priorities in view of the additional information provided in this advisory.


3.1. *Predictable DNS query ID*

[CVE-2010-1689 | 39908] Prior to MS10-024 the Windows SMTP Service
generated DNS queries with trivially guessable values in the transaction
ID field. The issue was addressed in MS10-024 by adding a call to the
'CAsyncDns::GenerateRandWord' method when building the DNS query.


3.2. *Missing validation of DNS responses*

[CVE-2010-1690 | 39910] Prior to MS10-024 the Windows SMTP Service did
not check that the value of the ID field of a DNS response received from
the network actually matched the value of the ID field of a
corresponding DNS query packet previously sent. The issue was addressed
in MS10-024 by adding validation logic to the 'CAsyncDns::ProcessReadIO'
method.


4. *Vulnerable packages*

   . Microsoft Windows 2000 (SP4 and previous)
   . Microsoft Windows XP (SP3, SP2 and previous)
   . Microsoft Windows 2003 (SP2 and previous)
   . Microsoft Windows 2008 (SP2 and previous)
   . Microsoft Windows 2008 R2
   . Microsoft Exchange Server 2003 (SP3, SP2 and previous)
   . Microsoft Exchange Server 2007 (SP2, SP1 and previous)
   . Microsoft Exchange Server 2010


5. *Non-vulnerable packages*

   . Microsoft Windows 2000 (SP4 and previous) with MS10-024
   . Microsoft Windows XP (SP3, SP2 and previous) with MS10-024
   . Microsoft Windows 2003 (SP2 and previous) with MS10-024
   . Microsoft Windows 2008 (SP2 and previous) with MS10-024
   . Microsoft Windows 2008 R2 with MS10-024
   . Microsoft Exchange Server 2003 (SP3, SP2 and previous) with MS10-024
   . Microsoft Exchange Server 2007 (SP2, SP1 and previous) with MS10-024
   . Microsoft Exchange Server 2010 with MS10-024


6. *Vendor Information, Solutions and Workarounds*

These vulnerabilities are fixed with the security updates included in
Microsoft Security Bulletin MS10-024
[http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx].


7. *Credits*

The bugs disclosed in this advisory were independently discovered and
researched by Nicolás Economou
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Nicolas_Economou].
The identity of the original discoverer is unknown.


8. *Technical Description / Proof of Concept Code*

The vulnerabilities were found and researched on a Windows XP SP3 system
by identifying binary differences in 'smtpsvc.dll' after applying the
corresponding patch from MS10-024. The dll versions '6.0.2600.5512' and
'6.0.2600.5949' were compared.

The following code excerpt identifies the *Predictable DNS query ID
vulnerability*[CVE-2010-1689 | 39908]. Without the MS10-024 patch
'smtpsvc.dll v6.0.2600.5512' looks like:

/-----
4FB5530C
4FB5530C loc_4FB5530C:
4FB5530C mov     [esi+3Ch], eax
4FB5530F mov     eax, [ebp+arg_8]
4FB55312 mov     ecx, ushort gwTransactionId
4FB55318 inc     word ptr ushort gwTransactionId
4FB5531F shr     eax, 2
4FB55322 not     eax
4FB55324 and     eax, 1
4FB55327 push    eax
4FB55328 push    ecx
4FB55329 push    [ebp+arg_4]
4FB5532C lea     eax, [ebp+hostshort]
4FB5532F push    [ebp+lpMultiByteStr]
4FB55332 push    eax
4FB55333 push    dword ptr [esi+3Ch]
4FB55336 call    DnsWriteQuestionToBuffer_UTF8(x,x,x,x,x,x)
4FB5533B test    eax, eax
4FB5533D jnz     short loc_4FB5537E

- -----/
 As seen at address '4FB55318' the value used to populate the query ID
field of outgoing DNS queries is simply incremented by one for each new
query to be sent. After applying the patch 'CAsyncDns::Dns_QueryLib' was
modified as follows:

/-----
4FB5564F
4FB5564F loc_4FB5564F:
4FB5564F mov     ecx, esi
4FB55651 mov     [esi+3Ch], eax
4FB55654 call    CAsyncDns::GenerateRandWord(void)
4FB55659 mov     ecx, [ebp+arg_8]
4FB5565C shr     ecx, 2
4FB5565F not     ecx
4FB55661 and     ecx, 1
4FB55664 push    ecx
4FB55665 push    eax
4FB55666 push    [ebp+arg_4]
4FB55669 mov     [esi+590h], ax
4FB55670 push    [ebp+lpMultiByteStr]
4FB55673 lea     eax, [ebp+hostshort]
4FB55676 push    eax
4FB55677 push    dword ptr [esi+3Ch]
4FB5567A call    DnsWriteQuestionToBuffer_UTF8(x,x,x,x,x,x)
4FB5567F test    eax, eax
4FB55681 jnz     short loc_4FB556C2

- -----/
 The patch adds a call to method 'CAsyncDns::GenerateRandWord' at
address '4FB55654'. The quality of the pseudo-random number generator
used by 'CAsyncDns::GenerateRandWord' was not investigated but simple
observation of packets on the wire confirms that DNS query IDs are no
longer generated using increments of one decimal unit.

In the case of the *Missing validation of DNS responses
vulnerability*[CVE-2010-1690 | 39910] the following code excerpt shows
the validation code added to 'CAsyncDns::ProcessReadIO' by the patch
from MS10-024.

/-----
4FB5517F
4FB5517F loc_4FB5517F:
4FB5517F mov     ecx, [esi+34h] <-- Transaction ID received from the network
4FB55182 mov     dx, [esi+590h] <-- Transaction ID set at "4FB55669: mov
[esi+590h], ax"
4FB55189 cmp     dx, [ecx]
4FB5518C jz      loc_4FB5

- -----/
 Since 'CAsyncDns::ProcessReadIO' is called prior to
'CAsyncDns::DnsParseMessage' the patch effectively added a verification
to the ID value in a DNS responses that was missing before. This implies
that even if it was trivial to blindly guess the query IDs generated by
the Windows SMTP service with no or just a few captured DNS queries an
attacker did not even need to guess valid query ids to be able to spoof
legitimate replies successfully.
 Prior to MS10-024 the complexity of spoofing responses to Windows SMTP
Service or Microsoft Exchange Server was reduced to just guessing the
source port that originated the query. This lack of validation of
inbound responses was confirmed in practice with a proof of concept
exploit for the SMTP Server MX Record vulnerability disclosed in MS10-024.
 MS10-024 also included "defense-in-depth changes" to Microsoft Exchange
2007 and Microsoft Exchange 2010 that added *source port*entropy to DNS
transactions initiated by the SMTP service as stated in the FAQ in the
general information section of the security bulletin. However, those
"defense-in-depth changes" refer to randomization of the source port for
outbound DNS queries and not to the value of the query ID used in DNS
packets.
 The FAQ section corresponding to the SMTP Server MX record
vulnerability (CVE-2010-0024
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0024]) in
MS10-024 provides the following question and answer:

/-----
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a
malicious DNS server that
returns a specially crafted response to an MX resource record query.

- -----/
 Basic analysis of the vulnerabilities disclosed in this advisory that
were fixed but not disclosed in MS10-024 indicates that the threat of
DNS spoofing attacks against Windows SMTP service and Microsoft Exchange
or scenario for exploitation of CVE-2010-0024 was underestimated. As a
result the importance of deploying the MS10-024 patches may be
miss-represented in the vendor's security bulletin. Organizations using
vulnerable packages should consider re-assessing patch deployment
priorities in view of the additional information provided in this advisory.


9. *Report Timeline*

. 2010-04-20:
Nicolás Economou  notifies Core's Security Advisories Team of findings.

. 2010-04-20:
Core Advisories Team requests confirmation that transaction ids of DNS
responses are not being validated.

. 2010-04-21:
Nicolás Economou confirms [CVE-2010-1689 | 39908]

. 2010-04-28:
Initial notification to the vendor. Publication date set to April 30 2010.

. 2010-04-29:
Vendor confirms that additional updates were included in MS10-024 and
quotes a paragraph from MS10-024 that describes a defense-in-depth
change for Microsoft Exchange 2007 and Microsoft Exchange 2010 that adds
additional source port entropy to DNS transactions initiated by the SMTP
service. Indicates that since these were "defense-in-depth" changes no
specific CVEs were assigned and that releasing separate updates for
these issues is currently not being considered as they were already
bundled in MS10-024. The undisclosed changes apply to all versions of
Microsoft Exchange. Microsoft requests a copy of Core's advisory prior
to its release to prepare for any follow up questions.

. 2010-04-29:
Core response: The FAQ from the general information section of MS10-024
quoted by Microsoft refers to source port entropy not to the value of
the transaction id field used in outbound DNS queries. Core does not
consider the two bugs reported to be "security-in-depth" fixes and
points out that there is an amount of literature to support that opinion
starting with Core's first published security advisory on DNS query Id
prediction [3] and ending with Dan Kaminsky's over-publicized DNS
poisoning technique which in 2008 Microsoft considered bonafide bugs
that required public disclosure using their own CVEs as disclosed in
MS08-037. Core found no reasonable way to justify the fix to
[CVE-2010-1690 | 39910] as a "defense-in-depth change". Checking that
the id of a reply actually matches the id sent in the corresponding
query is basic functionality required of any DNS resolver. It is also a
*MUST* requirement of section 9.1 of RFC5452. Core indicates that it
will consult with Mitre to figure out if one, two or zero new CVE
identifiers should be used in reporting these bugs since CVE-2008-1447
may or may not be applicable for the first bug described in the
advisory. As soon as the final draft of the advisory is ready for
publication Core will send it to Microsoft as requested and ask for
comments or any official statement to be added to its Vendor Information
section.

. 2010-05-03:
Final draft of CORE-2010-0427 sent to Microsoft.

. 2010-05-04:
CORE-2010-0427 is published.



10. *References*

[1] Schuba, Christoph, "Addressing Weaknesses in the Domain Name System
Protocol", 1993.
[http://ftp.cerias.purdue.edu/pub/papers/christoph-schuba/schuba-DNS-msthesis.pdf]
[2] Vixie, Paul, "5th USENIX UNIX Security Symposium", 1995.
[http://www.usenix.org/publications/library/proceedings/security95/full_papers/vixie.txt]
[3] Arce, Ivan, Kargieman, Emiliano, "BIND vulnerbailities and
solutions", 1997.
[http://www.openbsd.org/advisories/res_random.txt]
[4] Sacramento, Vagner, "Vulnerability in the sending requests control
of Bind versions 4 and 8 allows DNS spoofing", 2002.
[http://www.rnp.br/cais/alertas/2002/cais-ALR-19112002a.html]
[5] Stewart, Joe, "DNS Cache Poisoning - The Next Generation", 2002.
[http://www.secureworks.com/research/articles/dns-cache-poisoning]
[6] Klein, Amit, "BIND 9 DNS cache poisoning", 2007.
[http://www.trusteer.com/files/BIND_9_DNS_Cache_Poisoning.pdf]
[7] Klein, Amit, "Windows DNS Server cache poisoning", 2007.
[http://www.trusteer.com/files/Windows_DNS_Cache_Poisoning.pdf]
[8] Kaminsky, Dan, "Black Ops 2008: It_s The End Of The Cache As We Know
It ", 2008.
[http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf]
[9] Hubert, A., van Mook, R., "Measures for Making DNS More Resilient
against Forged Answers", RFC-5452, 2009.
[http://tools.ietf.org/html/rfc5452]


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://corelabs.coresecurity.com/].


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].


13. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkvgnyEACgkQyNibggitWa2SyQCfdWpNuMmlU8Ye1eE0uSII5f+G
mmwAnj4hejHo/gnLh8qF/EhHBJHvvijS
=VxJA
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/