Windows DNS SIGRed Bug Gets First Public RCE PoC Exploit

Windows DNS SIGRed Bug Gets First Public RCE PoC Exploit

The lead safety researcher Valentina Palmiotti of Grapl presented a proof-of-concept (PoC) exploit of the important SIGRed Windows DNS Server remote code execution (RCE) vulnerability.

She shared the PoC on Twitter saying, “This was my first userland Windows heap exploit and I hope a deep dive into the process will help others. Patch or apply the workaround.”

Although Microsoft has patched this safety flaw tracked as CVE-2020-1350 on July 14, 2020, the researcher showed how it can be abused by bad actors to gain domain admin rights and hijack a company’s entire infrastructure.

“If exploited carefully, attackers can execute code remotely on the vulnerable system and gain Domain Admin rights, effectively compromising the entire corporate infrastructure,” Palmiotti explained.

With the highest severity score of 10 out of 10, SIGRed impacts all Windows Server variations 2003 via 2019 and has been known for over 17 years. SIGRed made it into NSA’s prime 25 vulnerabilities, along with other high-impact Windows vulnerabilities like Zerologon and BlueKeep, and have been actively abused by Chinese-backed hacking groups.

The flaw was labeled by Microsoft as wormable which means the malware exploiting it is capable of lateral spreading between susceptible machines.

Upon a successful SIGRed deployment on domain controller (DC) servers, unauthenticated attackers can perform remote code execution as a SYSTEM admin.

The working PoC exploit (1, 2) has been successfully abused towards unpatched 64-bit variations of Windows Server 2019, 2016, 2012R2, and 2012.

Palmiotti’s research additionally contains information on the ways to detect SIGRed exploitation.

The researcher posted a video showing the SigRed CVE-2020-1350 RCE exploit in action.

SIGRed PoC exploits had previously been shared publicly along with scripts designed to perform denial-of-service (DoS) attacks before Microsoft patched the bug.

However, the exploit Palmiotti shared is the first working distant code execution exploit published since Microsoft patched the vulnerability.

To create this RCE PoC, Palmiotti used exploiting strategies shared by DATAFARM safety researcher Worawit Wang in a September 2020 write-up.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.