10
CVSSv2

CVE-2020-1350

Published: 14/07/2020 Updated: 23/07/2020
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.

Vulnerability Trend

Github Repositories

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit T13nn3s committed 4e4b04d 11 minutes ago [TASK] Initial creation of the script Git stats 2 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time CVE-2020-1350-checker.ps1 [TASK] Initial creation of the script 11 minutes ago README.md Initial commit 12 minutes ago View code README.md CVE-2020-1350 This Powershell Script is checking if your server is vulnerable for the CVE-2020-1350 Remote Code Execution flaw in the Windows DNS Service About This Powershell Script is checking if your server is vulnerable for the CVE-2020-1350 Remote Code Execution flaw in the Windows DNS Service Resources Readme Releases No releases published Languages PowerShell 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit tinkersec committed 0ee1e47 5 minutes ago Update README.md Git stats 6 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time LICENSE Initial commit 13 minutes ago README.md Update README.md 5 minutes ago cve-2020-1350.sh Added Usage Exmaple 12 minutes ago View code README.md cve-2020-1350 Bash Proof-of-Concept (PoC) script to exploit SIGRed (CVE-2020-1350). Achieves Domain Admin on Domain Controllers running Windows Server 2003 up to Windows Server 2019. ==================================================== To run, from a Linux host on a Windows Active Directory Network: ~# chmod +x cve-2020-1350.sh ~# ./cve-2020-1350.sh 10.0.0.1 ===================================================== References: CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ About Bash Proof-of-Concept (PoC) script to exploit SIGRed (CVE-2020-1350). Achieves Domain Admin on Domain Controllers running Windows Server 2003 up to Windows Server 2019. Resources Readme License GPL-3.0 License Releases No releases published Languages Shell 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit ZephrFish committed ae51ec3 6 minutes ago Update README.md Git stats 3 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time README.md Update README.md 6 minutes ago exploit.sh Create exploit.sh 9 minutes ago View code README.md CVE-2020-1350 Exploit RCE via DNS Running the exploit Change the target IP in exploit.sh then do: chmod +x exploit.sh ./exploit.sh About PoC Checking script Resources Readme Releases No releases published Languages Shell 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit jmaddington committed 48ea72d 17 minutes ago Initial commit Git stats 1 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time bin/7zip Initial commit 17 minutes ago build Initial commit 17 minutes ago initialize Initial commit 17 minutes ago vendor Initial commit 17 minutes ago README.md Initial commit 17 minutes ago TcpReceivePacketSize.reg Initial commit 17 minutes ago aem-component.cpt Initial commit 17 minutes ago command.bat Initial commit 17 minutes ago View code README.md Overview Microsoft announced CVE-2020-1350 on July 14 2020. This vulnerability in Windows DNS server goes back to Server 2003 and is broadly thought to be wormable. This script follows the intructions from KB456509 (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) to mitigate the issues without rebooting the server. For Datto RMM users, you can import aem-component.cpt into the RMM. For other RMM users, the script simply needs command.bad and TcpRecievePacketSize.reg to work. Caveats This script is only a few hours old and is not thoroughly tested. It based on the best information we have available from Microsoft right now. Use at your own risk. About Windows registry mitigation response to CVE-2020-1350 Resources Readme Releases No releases published Languages PowerShell 67.6% Batchfile 32.4%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit TheCyberViking committed 7a78050 2 days ago Create README.md Git stats 9 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time CVE-2020-1350.exe Release EXE 3 days ago Main.Designer.vb Initial Version 3 days ago Main.vb Initial Version 3 days ago README.md Create README.md 2 days ago View code README.md Fake_CVE-2020-1350 Fake exploit tool, designed to rickroll users attempting to actually exploit. About Fake exploit tool, designed to rickroll users attempting to actually exploit. Resources Readme Releases No releases published Contributors 2 TheCyberViking TheCyberViking zoomerxsec zoomerxsec Languages Visual Basic .NET 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit CVEmaster committed e5ba6c0 2 minutes ago Update README.md Git stats 3 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time LICENSE Initial commit 11 minutes ago README.md Update README.md 2 minutes ago cve20201350.exe Add files via upload 11 minutes ago View code README.md This is an educational exercise. Use at your own risk. CVE-2020-1350 DNS Vulnerability - CVE-2020-1350 Windows Binary PoC ./cve20201350.exe About DNS Vulnerability - CVE-2020-1350 Resources Readme License Apache-2.0 License Releases No releases published

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit aitordelcastillo committed cc4f0bb 2 minutes ago Add files via upload Git stats 2 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time README.md Initial commit 2 minutes ago SECUORA-CVE-2020-1350-checker.ps1 Add files via upload 2 minutes ago View code README.md CVE-2020-1350-checker.ps1 Comprueba si su servidor DNS es vulnerable a la ejecución remota de código. About Comprueba si su servidor DNS es vulnerable a la ejecución remota de código. Resources Readme Releases No releases published Languages PowerShell 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit mr-r3b00t committed 814665d 13 minutes ago Create workaround.bat Git stats 4 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time LocalWorkaround.ps1 Create LocalWorkaround.ps1 15 minutes ago README.md Update README.md 14 minutes ago workaround.bat Create workaround.bat 13 minutes ago View code README.md CVE-2020-1350 Workaround to mitigate the impact of the vulnerability by reducing the TCP Recieve Packet Size Maximum Limit on the DNS Server and restarting DNS About No description, website, or topics provided. Resources Readme Releases No releases published Languages PowerShell 100.0%

master 1 branch 0 tags Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit gdwnet Update README.md … 3a17224 1 minute ago Update README.md 3a17224 Git stats 2 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time README.md Update README.md 1 minute ago View code README.md This is a powershell script that'll grab all the AD servers for the domain your computer is on. It'll then set the CVE 2020-1350 DNS workaround on those servers and restart DNS. NOTE!! it will restart DNS so you might need a maintenance window to run it. This workaround does not mean that you can avoid patching your servers but it should help buy you some time especially if you have windows servers on the internet. You can read about cve-2020-1350 here -> https://blog.gdwnet.com/2020/07/15/sigred-dns-flaw-summary/ Questions? Issues? Suggestions? contact@gdwnet.com Useful? If so, why not buy me a coffee to say thanks? https://www.buymeacoffee.com/garyw About A powershell script to deploy the registry mitigation key for CVE-2020-1350 Resources Readme Releases No releases published

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit moharrami12 committed f0300bb 1 minute ago How to run Git stats 3 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time CVE-2020-1350.ps1 Add powershell script 3 minutes ago README.md How to run 1 minute ago View code README.md CVE-2020-1350 Scanner and Mitigator for CVE 2020-1350 Run as Administrator: powershell -ExecutionPolicy Bypass -File CVE-2020-1350.ps1 About Scanner and Mitigator for CVE 2020-1350 Resources Readme Releases No releases published Contributors 2 moharrami12 moharrami12 graph-inc graph-inc Languages PowerShell 100.0%

master 1 branch 0 tags Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit TheCyberViking Update README.md … 55da057 7 minutes ago Update README.md 55da057 Git stats 6 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time LICENSE Initial commit 9 days ago README.md Update README.md 7 minutes ago insiderthreat.py Create insiderthreat.py 4 hours ago View code README.md Insider_Threat_Bait A tool for Baiting Insider Threats into running an exploit based off research conducted with Myself and https://twitter.com/TJ_Null https://twitter.com/ZephrFish https://twitter.com/ZoomerX The original Research can be found : https://blog.zsec.uk/cve-2020-1350-honeypoc/ So how does this work Build the CanaryToken - https://canarytokens.org/generate Build the Script in python comiple it anyway you want - python script with obfiscated or exe complied with pyarmour Leave this sitting on your share to see who grabs it and runs it on their system against policy Your IDS / IPS should alert when there is a request sent, this should alert you in two ways, One on your logs and two on your canary tokens such as browser date and time Brake Down the Code Here we will brake down the code to show you nothing malious here Modules these are the rquired modules for this to run, using a tool like import time import webbrowser import requests import sys Function to Offer Fake Menu and CVE in this section you can see the menu works and to atempt to make it look like a real scanner def main(): print("CVE-2020-1350 Vulnerablity Scanner by @TheCyberViking, @ZepherFish, @TJ_Null, @ZoomerX") print("This is in attempt to scan and open the link to prove exploitation") print(".") ip = input("Please Enter the IP you wana scan: ") print(".") print("Now Testing For CVE-2020-XXXX on:" + ip) print("Now Scanning Address") time.sleep(3) print(ip + " Apeears to be Vulnerable Opening Test Page Now") time.sleep(2) Troll Link This section is the link that will open for the subject when they run the code, you can change the link it directs to a troll video webbrowser.open_new('https://www.youtube.com/embed/gMpLLq7DomQ?start=0&fs=1&autoplay=1') time.sleep(2) Hidden CanaryToken This section will request and alert the CanaryToken after you add your URL in in the section TargetURL targeturl = (" ENTER YOUR CanaryTokens URL") response = requests.get(targeturl, verify=False, timeout=2) Response codes Here you can see how the responses are handeled from the CanaryToken if response.status_code == 200: sys.stdout.write("\033[1;31m") print("CAUGHT See HR Soon or they will see you") elif response.status_code == 404: sys.stdout.write("\033[0;32m") print(".") Run Code This section will run the code defined in the function main() About A tool for Baiting Insider Threats into running an exploit based off research conducted with Myself @ZepherFish, @tjnull, @Zoomerx Resources Readme License MIT License Releases No releases published Languages Python 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit Ben Reardon committed f8bde7a 2 minutes ago minor change Git stats 10 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time scripts v0.2 21 minutes ago LICENSE Add files via upload 17 hours ago README.md minor change 2 minutes ago bro-pkg.meta Update bro-pkg.meta 22 minutes ago zkg.meta Update zkg.meta 22 minutes ago View code README.md CVE-2020-1350 (AKA SIGRed) v0.2 Summary: A Zeek package for detection of attempts to exploit Microsoft Windows DNS server via CVE-2020-1350 (AKA SIGRed - CVE Score of 10.0) References: https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 Notices raised : Notice Fidelity Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ Medium CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (High Confidence, large SIG/KEY response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ High Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS RRSIG/TKEY response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ Medium/High About Detection of attempts to exploit Microsoft Windows DNS server via CVE-2020-1350 (AKA SIGRed) Resources Readme License BSD-3-Clause License Releases No releases published Languages Zeek 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit aitordelcastillo committed 4d4443b 4 minutes ago Add files via upload Git stats 1 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time SECUORA-CVE-2020-1350-checker.ps1 Add files via upload 4 minutes ago View code About Script para comprobar si la vulneravilidad relacionada con CVE-2020-1350 es aplicable a su Windows Server. Releases No releases published Languages PowerShell 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit connormcgarr committed f75ba0f 10 minutes ago Update TCP_Response.py Git stats 23 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time README.md Update README.md 18 hours ago TCP_Response.py Update TCP_Response.py 10 minutes ago UDP_Response.py Update UDP_Response.py 17 hours ago View code README.md CVE-2020-1350 CVE-2020-1350 Proof-of-Concept Environment Setup Download Windows Server 2016 Download a Linux box (a secondary box to run this script) Install Active Directory/DNS on Windows Server 2016 (let's say you named your legitimate domain 33y0re.com) Have NO DNS records on the Windows 2016 server (yet) Create a "forwarder" record on the Windows Server 2016 image with the IP of the Linux box Usage Choose your domain (the "attacking" domain) Calculate how long it is (e.g. blah is 0x4 bytes and .net is 0x3 bytes) Set domain_correct to \x04blah\03net\x00 Run python UDP_Response.py & python TCP_Response.py Run from the Windows Server 2016 Image or Linux Box: nslookup -type=sig 33y0re.com ACTIVE_DIRECTORY_DNS_SERVER_IP followed by: nslookup -type=sig 9.MALICIOUS_DOMAIN_FROM_LINUX_BOX_SCRIPT ACTIVE_DIRECTORY_DNS_SERVER_IP About CVE-2020-1350 Proof-of-Concept Resources Readme Releases No releases published Languages Python 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit maxpl0it authored and maxpl0it committed 237841a 15 minutes ago … It's going down, down, in an earlier round Denial-of-service PoC Git stats 1 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .gitattributes It's going down, down, in an earlier round 15 minutes ago README.md It's going down, down, in an earlier round 15 minutes ago sigred_dos.py It's going down, down, in an earlier round 15 minutes ago View code README.md CVE-2020-1350 (SIGRed) - Windows DNS DoS Exploit Credits for the bug are entirely down to Check Point Research (@_cpresearch_) who did an incredible writeup of this bug (props to @sagitz_ for the post) Their writeup can be found here. This exploit was written by @maxpl0it Quick summary of how it works: On the LAN you trigger a DNS request (more specifically, a request for the SIG records) for an evil domain (for example 9.evil_domain.com) This gets sent to the vulnerable Windows server's DNS server The vulnerable server sends a request to whatever DNS it forwards requests to (usually the standard Google IPs) The Google DNS responds with the nameservers for the evil domain The vulnerable server then acts as a DNS client and sends a request to the evil DNS server The evil server responds with a payload that overflows a 2-byte number, causing a smaller allocation to take place than is required The signature is copied over and things break (of course), crashing the vulnerable server's DNS server General Setup: This exploit requires you to set up a domain with its own nameservers pointing to your server. Set up the server and run this script. It will listen on port 53 on both TCP and UDP If you get an error saying that the ports are busy, use netstat -pa to figure out what's listening on the domain ports (probably systemd-resolved) and disable + stop it. If nothing's listening on the server, make sure you killed all instances of this script before re-running. For example, I ran python sigred_dos.py ibrokethe.net to start the malicious DNS server Execution: In order to trigger the vulnerability on the Windows DNS server, run nslookup -type=sig 9.your_domain_name_here dns_server_to_target The subdomain '9' is indeed required here. You do not have to make any domain record changes for this since the script deals with it. As an example: I ran nslookup -type=sig 9.ibrokethe.net 127.0.0.1 as I was running this on the server. About A denial-of-service proof-of-concept for CVE-2020-1350 Resources Readme Releases No releases published Languages Python 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit jmassardo committed d82239a 13 minutes ago … initial commit Signed-off-by: James Massardo <jmassardo@chef.io> Git stats 1 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time controls initial commit 13 minutes ago README.md initial commit 13 minutes ago inspec.yml initial commit 13 minutes ago View code README.md Windows-DNS-SIGRed This profile identifies systems that are missing one or more of the required patches to address CVE-2020-1350, Windows DNS Server Remote Code Execution Vulnerability. This profile utilizes InSpec's describe.one method to test against the multiple KB's without the need for complex OS version logic. About InSpec Profile to identify systems vulnerable to CVE-2020-1350 Resources Readme Releases No releases published Languages Ruby 100.0%

master 1 branch 0 tags Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit simeononsecurity Init Upload … 6778ac1 21 hours ago Init Upload 6778ac1 Git stats 2 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .gitattributes Initial commit 21 hours ago CVE-2020-1350_DNS_Server_Vulnerability.ps1 Init Upload 21 hours ago README.md Init Upload 21 hours ago View code README.md KB4569509: Guidance for DNS Server Vulnerability CVE-2020-1350 Introduction On July 14, 2020, Microsoft released a security update for the issue that is described in CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability. This advisory describes a Critical Remote Code Execution (RCE) vulnerability that affects Windows servers that are configured to run the DNS Server role. We strongly recommend that server administrators apply the security update at their earliest convenience. A registry-based workaround can be used to help protect an affected Windows server, and it can be implemented without requiring an administrator to restart the server. Because of the volatility of this vulnerability, administrators may have to implement the workaround before they apply the security update in order to enable them to update their systems by using a standard deployment cadence. Workaround Optional: Download the workaround script from the GitHub Repository To work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet that's allowed: Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters Value: TcpReceivePacketSize Type: DWORD Value data: 0xFF00 Notes: The default (also maximum) Value data = 0xFFFF. The recommended Value data = 0xFF00 (255 bytes less than the maximum). You must restart the DNS Service for the registry change to take effect. To do this, run the following command at an elevated command prompt:           net stop dns && net start dns ##Important information about this workaround TCP-based DNS response packets that exceed the recommended value will be dropped without error. Therefore, it is possible that some queries might not be answered. This could cause an unanticipated failure. A DNS server will be negatively impacted by this workaround only if it receives valid TCP responses that are greater than allowed in the previous mitigation (more than 65,280 bytes). The reduced value is unlikely to affect standard deployments or recursive queries. However, a non-standard use-case may exist in a given environment. To determine whether the server implementation will be adversely affected by this workaround, you should enable diagnostic logging, and capture a sample set that is representative of your typical business flow. Then, you will have to review the log files to identify the presence of anomalously large TCP response packets For more information, see DNS Logging and Diagnostics. About A registry-based workaround can be used to help protect an affected Windows server, and it can be implemented without requiring an administrator to restart the server. Because of the volatility of this vulnerability, administrators may have to implement the workaround before they apply the security update in order to enable them to update their … Resources Readme Releases No releases published Languages PowerShell 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit Jb05s committed 2accfd7 2 minutes ago Create poc.py Git stats 2 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time PoC Create poc.py 2 minutes ago README.md Initial commit 3 minutes ago View code README.md CVE-2020-1350 About No description, website, or topics provided. Resources Readme Releases No releases published Languages Python 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit jmassardo committed b2d8c7b 12 minutes ago Loading status checks… Add license file Git stats 6 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github/workflows adds dns feature check and github actions testing yesterday controls updates control impact to 1.0 yesterday LICENSE Add license file 12 minutes ago README.md added registry check for workaround yesterday inspec.yml initial commit yesterday View code README.md Windows-DNS-SIGRed This profile identifies systems that are missing one or more of the required patches to address CVE-2020-1350, Windows DNS Server Remote Code Execution Vulnerability. This profile utilizes InSpec's describe.one method to test against the multiple KB's without the need for complex OS version logic. It will also consider the workaround registry key as a success. Please note, InSpec tests the decimal value of the registry key. This test specifies 65280d which equals FF00h. About No description, website, or topics provided. Resources Readme License Apache-2.0 License Releases No releases published Contributors 2 jmassardo jmassardo collinmcneese collinmcneese Languages Ruby 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit Plazmaz committed 3f63dbf 8 minutes ago Create malicious-server.py Git stats 1 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time malicious-server.py Create malicious-server.py 8 minutes ago View code About A basic proof of concept for CVE-2020-1350 Releases No releases published Languages Python 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit pr4jwal committed b9279fb 2 minutes ago Create cve-2020-1350.nse Git stats 22 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time README.md Update README.md 4 months ago cve-2020-0796.nse Update cve-2020-0796.nse 4 months ago cve-2020-1350.nse Create cve-2020-1350.nse 2 minutes ago View code README.md CVE-2020-0796 NSE script to detect vulnerable CVE-2020-0796 issue, with Microsoft SMBv3 Compression (aka coronablue, SMBGhost) The script is a modified version of smb-protocols.nse script with a modified output data for v3.11 detection and validating CVE-2020-0796. Note: This script just safe checks for CVE-2020-0796 vulnerability on SMBv3 and doesn't attempt anything beyond that. Installation and running Copy the .nse file to nmap/scripts/ folder and run update cp cve-2020-0796.nse /usr/share/nmap/scripts/ nmap --script-updatedb Run as nmap -p445 --script cve-2020-0796 <<target>> -- @output -- | smb-protocols: -- | dialects: -- | NT LM 0.12 (SMBv1) [dangerous, but default] -- | 2.02 -- | 2.10 -- | 3.00 -- | 3.02 -- |_ 3.11 (SMBv3.11) LZNT1 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost Checks for compression based on https://github.com/ollypwn/SMBGhost/ Could've been done utilizing smb.lua in the nselib but it required substantial editing of the functions, went with sockets. About NSE script to detect vulnerable CVE-2020-0796 issue "SMBGhost" Topics smbghost nmap nmap-scripts nmap-scan-script nse-script smbv3 scanner vulnerability-detection vulnerability poc Resources Readme Releases No releases published Languages Lua 100.0%

Branch: master Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit WinMin committed e09a596 11 minutes ago Update README.md Git stats 2 commits 1 branch 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time README.md Update README.md 11 minutes ago View code README.md Protocol-vul Some Vulnerability in the some protocol are collected. 一些协议: 网络通讯协议图.pdf UPNP CVE-2017-17215 https://paper.seebug.org/490/ CallStranger https://github.com/yunuscadirci/CallStranger PPP CVE-2020-8597 SLP CVE-2019-5544 AFP CVE-2018-1160 BlueTooth BlueFrag CVE-2020-0022 BIAS CVE-2020-10135 KNOB CVE-2019-9506 https://www.chainnews.com/articles/048594953495.htm SMB EternalBlue CVE-2020-0796 https://github.com/chompie1337/SMBGhost_RCE_PoC https://github.com/ZecOps/CVE-2020-0796-RCE-POC CPD CVE-2020-3119 Cisco CDP https://go.armis.com/hubfs/White-papers/Armis-CDPwn-WP.pdf TCP/IP Urgent11 Technical White Paper.pdf Ripple20 - Vulns in Treck's TCP/IP software https://www.jsof-tech.com/wp-content/uploads/2020/06/JSOF_Ripple20_Technical_Whitepaper_June20.pdf Thunderbolt https://github.com/BjornRuytenberg/spycheck-linux SNMP CVE-2017-6736 (Cisco IOS) WLAN CVE-2019-10539 (Part of Qualpwn by Tencent Blade) CVE-2019-11151 (Intel Wi-Fi adapt driver) https://www.zerodayinitiative.com/blog/2020/5/4/analyzing-a-trio-of-remote-code-execution-bugs-in-intel-wireless-adapters CVE-2019-15126 (Kr00k) https://www.secrss.com/articles/18174 IPP CVE-2019-8675 (CUPS) LoRaWAN https://blade.tencent.com/en/advisories/loradawn/ https://github.com/Lora-net/LoRaMac-node/commit/e3063a91daa7ad8a687223efa63079f0c24568e4 SMTP https://www.ehpus.com/post/smtp-injection-in-gsuite Treck TCP/IP stack https://vigilance.fr/vulnerability/Treck-IP-Stack-multiple-vulnerabilities-32551 GPRS协议隧道 (GTP) https://positive-tech.com/research/gtp-2020/ DNS CVE-2020-1350 https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ https://github.com/maxpl0it/CVE-2020-1350-DoS/blob/master/sigred_dos.py Contributor swing && (leommxj)[https://github.com/leommxj] About Some Vulnerability in the some protocol are collected. Resources Readme Releases No releases published

Recent Articles

Critical SIGred Windows DNS bug gets micropatch after PoCs released
BleepingComputer • Ionut Ilascu • 19 Jul 2020

The critical remote code execution security vulnerability in Windows DNS known as SIGRed has received a micropatch for servers without an Extended Security Updates (ESU) license.
SIGRed can be exploited in a wormable fashion, allowing an adversary to expand their attack to all affected systems on the network without user interaction. It received the tracking number CVE-2020-1350 and the maximum severity score, 10 out of 10.



...

CISA Emergency Directive Orders Immediate Fix of Windows DNS Server Bug
Threatpost • Elizabeth Montalbano • 17 Jul 2020

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering all federal executive branch offices to apply a patch for a wormable Windows Server bug within 24 hours, warning of a “high potential for compromise of agency information systems.”
In an Emergency Directive, the Department of Homeland Security (DHS) agency ordered the “Federal Civilian Executive Branch” to apply a patch Microsoft released Tuesday for the vulnerability, (CVE-2020-1350), by 2:00 pm ET Friday...

Federal agencies told to patch wormable Windows DNS bug in 24 hours
BleepingComputer • Sergiu Gatlan • 16 Jul 2020

The Cybersecurity and Infrastructure Security Agency (CISA) today asked all U.S. federal executive branch departments and agencies to mitigate the critical SIGRed Windows DNS Server wormable remote code execution (RCE) vulnerability within 24 hours.
Microsoft issued a security update to address this critical Windows vulnerability tracked as CVE-2020-1350 on July 14, together with a registry-based workaround that does not require a server restart.


...

Microsoft patches critical, wormable flaw in Windows DNS Server
welivesecurity • 15 Jul 2020

Microsoft has released a patch addressing a vulnerability that has been present in Windows Domain Name System (DNS) Server for no fewer than 17 years. Dubbed SIGRed, this critical Remote Code Execution (RCE) vulnerability affects all Windows Server versions 2003 through 2019 and, if exploited, could be used to compromise a company’s entire IT infrastructure.
Tracked as CVE-2020-1350, the vulnerability was classified as “wormable” and earned the highest possible score of 10.0 on the...

Microsoft Tackles 123 Fixes for July Patch Tuesday
Threatpost • Tom Spring • 14 Jul 2020

A critical DNS bug and a publicly known elevation-of-privilege flaw top Microsoft’s July Patch Tuesday list of 123 fixes. The DNS flaw is a remote code-execution bug and is touted as one of the most critical Windows vulnerabilities released this year, earning the highest-severity CVSS score of 10.
The elevation-of-privilege bug (CVE-2020-1463) bug received a less-severe “important” rating, and impacts the Windows 10 and Windows Server SharedStream Library component. It stems from the...

Critical DNS Bug Opens Windows Servers to Infrastructure Hijacking
Threatpost • Tom Spring • 14 Jul 2020

A critical Microsoft Windows Server bug opens company networks to hackers, allowing them to potentially seize control of IT infrastructures. Microsoft issued a patch for the bug on Tuesday as part of its July Patch Tuesday roundup.
It turns out that the bug is 17 years old. Impacted are Windows Server versions from 2003-2019. The bug, found by researchers at Check Point, received a severity warning of 10 – the highest allowed. Most concerning to researchers however is that the bug is wor...

Microsoft patches critical wormable SigRed bug in Windows DNS Server
BleepingComputer • Ionut Ilascu • 14 Jul 2020

A critical vulnerability that’s been sitting in Microsoft’s Windows DNS Server for almost two decades could be exploited to gain Domain Administrator privileges and compromise the entire corporate infrastructure behind it.
The vulnerability received the tracking identifier CVE-2020-1350 and the name SigRed. It is a remote code execution that affects Windows Server versions 2003 through 2019 and received the maximum severity rating, 10 out of 10.


...

The Register

In Brief Here's something you don't see everyday. The crew at IBM X-Force has uncovered a massive cache of files, including about five hours of training videos intended for a select crew of hackers in Iran known as ITG18.
Big Blue said the videos range from two minutes to two hours and mainly cover techniques for compromising popular webmail services. They also include videos of hackers combing through data in a compromised email accounts from Google, AOL Hotmail, and Yahoo!, including tho...

Microsoft July 2020 Patch Tuesday: 123 vulnerabilities, 18 Critical!
BleepingComputer • Lawrence Abrams • 01 Jan 1970

Today is Microsoft's July 2020 Patch Tuesday, and if you see Windows administrators cursing for no reason, now you know why!
With the July 2020 Patch Tuesday security updates release, Microsoft has released one advisory for a tampering vulnerability in IIS and fixes for 123 vulnerabilities in Microsoft products.



PLAY



...

The Register

Mega Patch Tuesday Microsoft on Tuesday patched a wormable hole in its Windows Server software that can be exploited remotely to completely commandeer the machine without any authorization. It was one of hundreds of security bugs squashed today by Redmond along with Oracle, Adobe, VMware, SAP and Google.
Microsoft emitted fixes for 123 vulnerabilities in this month's Patch Tuesday batch. Some 18 of those CVE-listed security flaws are considered critical, meaning remote code execution (RCE)...