Researchers at vulnerability management vendor Qualys Inc. discovered this week how to reverse-engineer a Microsoft patch to perform a denial-of-service attack on a Windows DNS Server.
The researchers reverse engineered one of two critical patches released by Microsoft in its August Patch Tuesday round of security updates. The 11-058 update resolves two vulnerabilities to Windows DNS.
The research goes against Microsoft’s Exploitability Index, which gave the update a 3, meaning it was unlikely that code would surface exploiting the flaws. The index is used by patch management specialists to weigh the priority of specific patch deployments. Qualys said it is possible to accomplish the attack through a step-by-step process.
“We reverse engineered the patch to get a better understanding of the mechanism of the vulnerability and found this vulnerability can be triggered with a few easy steps,” explained Bharat Jogi, a vulnerability security engineer at Qualys, in a blog post.
Although this proof of concept demonstrates a denial of service, Jogi explains that “an attacker who successfully exploited this vulnerability could run arbitrary code in the context of the system” and those “with malicious intent may be able to get reliable code execution.”
Qualys took advantage of one of the two patches that were rated critical. This particular patch fixed two flaws in Windows DNS Server while the other fixed seven flaws in Internet Explorer.
Qualys researchers used binary-diffing of the unpatched and patched version of the files to compare and understand the changes that were made to fix the vulnerabilities. The binary-diffing tool, called TurboDiff, shows them “a list of all the functions that are identical, changed, unmatched, and those that look suspicious,” said Jogi.
Two DNS servers were needed for the proof of concept in order for researchers to crash one of them and serve as a comparison. Researchers discovered it was particularly simple and the vulnerability could be triggered with a few easy steps. Therefore, they recommend to “apply this security update as soon as possible.”