Skip to main content
Core Security Logo Core Security Logo
  • Contact Us
  • Support
  • All Fortra Products
  • FREE TRIALS
  • Contact Us
  • Support
  • All Fortra Products
  • FREE TRIALS
  • Cyber Threat

      Products

      • Core Impact Penetration testing software
      • Cobalt Strike Red team software
      • Outflank Security Tooling (OST) Evasive attack simulation
      • Event Manager Security information and event management
      • Powertech Antivirus Server-level virus protection
      • Product Bundles

      Solutions

      • Penetration Testing
      • Penetration Testing Services
      • Offensive Security
      • Threat Detection
      • Security Information and Event Management
    • Penetration Testing Services Security consulting services
  • Identity

      Products

      • Access Assurance Suite User provisioning and governance
      • Core Password & Secure Reset Self-service password management
      • Core Privileged Access Manager (BoKS) Privileged access management (PAM)

      Solutions

      • Privileged Access Management
      • Identity Governance & Administration
      • Password Management
    • See How to Simplify Access in Your Organization | Request a Demo
  • Industries
    • Healthcare
    • Financial Services
    • Federal Government
    • Retail
    • Utilities & Energy
    • Higher Education
    • Compliance
  • Resources
    • Upcoming Webinars & Events
    • Blogs
    • Case Studies
    • Videos
    • Datasheets
    • Guides
    • Ecourses
    • Compliance
    • All Resources
  • CoreLabs
    • Advisories
    • Exploits
    • Publications
    • Articles
    • Open Source Tools
  • About
    • Partners
    • Careers
    • Press Releases
    • Contact Us

Analysis of CVE-2021-26897 DNS Server RCE

CVE-2021-26897 is a DNS server RCE vulnerability, and is triggered when many consecutive Signature RRs Dynamic Updates are sent. This vulnerability is an OOB write on the heap when combining the many consecutive Signature RR Dynamic Updates into base64-encoded strings before writing to the Zone file.

According to Microsoft, systems are only vulnerable if a DNS server had dynamic updates enabled. Upon further analysis, we determined the chances of execution were indeed very low. The following Proof of Concept illustrates the difficulty an attacker would have in exploiting this vulnerability.

SCENARIO

A DNS server must accept write requests to at least one Zone.

First, we’ll create a new primary zone with the wizard:

Image
New Zone Wizard

Giving it write permission to the updates should be sufficient:

Image
dynamic update

ANALYSIS OF THE PATCH

There are some unsafe subtractions in the SigFileWrite (x, x, x, x) function. They were replaced by safe subtractions and some other filters were added, before a call to Dns_SecurityKeyToBase64String.

Here is how it looks when unpatched:

Image

And this is how it appears once the patch is implemented:

Image
patch implemented

When the program enters the call, the data is copied into a loop, possibly using the size obtained in the subtraction.

Image
POC

POC

Image

It hangs inside Dns_SecurityKeyToBase64String.

Image
memory

ALLOCATION

We can see that where it allocates, the size is not controlled by us and is fixed (80000h).

Image
fixed size of 80000h

CONCLUSION

If this type of heap overflows, the possibility of RCE is related to the possibility of allocating a vulnerable chunk filled with some controlled data, with a controlled size.

Additionally, it may only be possible to allocate in the free list and not in the Windows heap. This is because the former is hardly protected, while the latter is strongly protected, especially in the most modern version of Windows.

The allocation limit in the Windows heap changes depending on whether it is 32 or 64 bits. However, in general, if it is a large value like 0x80000, it exceeds the limit of the free list and allocates in the Windows heap.

In 32 bits the limit is 0x68:

Image

In 64 bits the limit is 0x90:

Image
64bits_0x90

Since the size is fixed at 0x80000 and thus is larger than the limit, we can conclude that the chances of RCE will be quite small. Without having a variable and controlled size to allocate data, fighting with the heap of Windows in modern versions would be very difficult.

 

Ricardo Narvaja
Meet the Author

Ricardo Narvaja

Cybersecurity Specialist Developer
View Profile
Related Content
Article
Reversing and Exploiting Free Tools Series
Article
How to Deal with Microsoft Monthly Updates to Reverse Engineer Binary Patches
Article
Low-level Reversing of SIGred (CVE-2020–1350)

Get More Expert Insights on the latest patches

CTA Text

Get tips on how to reverse engineer Microsoft binary patches for pen testing.

READ THE ARTICLE
  • Email Core Security Email Us
  • Twitter Find us on Twitter
  • LinkedIn Find us on LinkedIn
  • Facebook Find us on Facebook

Products

  • Access Assurance Suite
  • Core Impact
  • Cobalt Strike
  • Event Manager
  • Browse All Products

Solutions

  • Identity Governance

  • PAM
  • IGA
  • IAM
  • Password Management
  • Vulnerability Management
  • Compliance
  • Cyber Threat

  • Penetration Testing
  • Red Team
  • Phishing
  • Threat Detection
  • SIEM

Resources

  • Upcoming Webinars & Events
  • Corelabs Research
  • Blog
  • Training

About

  • Our Company
  • Partners
  • Careers
  • Accessibility

Support

Privacy Policy

Contact

Impressum

Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.