SIGRed (CVE-2020-1350) Rule

Hi,

recently Microsoft revealed very critical DNS vulnerability (CVSS base score of 10.0). Perhaps some one has already created a rule for it and could share it or maybe could help with creating one.

Based on analysis of CVE-2020-1350 I came to the following steps of attack:

  1. DNS request is sent
  2. DNS reply with truncation flag is received
  3. TCP connection via DNS 53 is setup
  4. DNS request sent via TCP
  5. DNS reply with max size 65535 and with manipulated DNS Pointer Compression 0xC0 received
  6. Manipulation of DNS Pointer Compression causes heap based buffer overwrite because DNS response contains a large (bigger than 64KB) SIG record

Could anyone share an idea how better to implement this rule. My current idea based on my introduction level with Suricata is the following:

alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:”SIGRed (CVE-2020-1350) possible exploit”; dsize:>65534")

Thank you in advance.

Hi!

The ET OPEN set has two rules for this currently, sid 2030532 and 2030533. Feel free to take a look and see if those will work for you.

JT

1 Like

Thank you. I have found them. Just in case here is the two entries you have mentioned.

alert tcp any 53 -> any any (msg:“ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M1 (CVE-2020-1350)”; flow:established,from_server; content:"|ff|"; depth:1; byte_test:1,>=,0xec,0,relative; content:"|00 00 18|"; distance:12; within:64; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; metadata: former_category EXPLOIT; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030533; rev:3; metadata:affected_product Windows_DNS_server, signature_severity Critical, created_at 2020_07_14, performance_impact Significant, updated_at 2020_07_16;)

alert tcp any any -> any 53 (msg:“ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2 (CVE-2020-1350)”; flow:established,to_server; content:"|ff|"; depth:1; byte_test:1,>=,0xec,0,relative; content:"|00 00 18|"; distance:12; within:64; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; metadata: former_category EXPLOIT; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030532; rev:4; metadata:affected_product Windows_DNS_server, signature_severity Critical, created_at 2020_07_14, performance_impact Significant, updated_at 2020_07_16;)

There is also another open-source available rule here: https://github.com/ptresearch/AttackDetection/tree/master/CVE-2020-1350

1 Like

Hi, I have created a couple of rules too. Let me know if you have available PoC and if these rules work for you:

I would like to have some feedback about them :slight_smile: