Status Tracking Note TRTA07-103A

Microsoft Windows DNS RPC Buffer Overflow

Overview

A buffer overflow in the the Remote Procedure Call (RPC) management interface used by the Microsoft Windows Domain Name Service (DNS) service is actively being exploited.
Event Information


Date (UTC)Description
2007-05-08 19:42 Microsoft
Microsoft Security Bulletin MS07-029: Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
Security Bulletin published.
2007-05-08 19:42 Microsoft
Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
DNS RPC Management Vulnerability(CVE-2007-1748)
Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS07-029 to address this issue.
2007-04-18 17:35 Symantec
ThreatCON (2) => (1)
2007-04-18 15:05 Internet Security Systems
AlertCon (2) => (1)
Due to the seriousness of a remote code execution vulnerability in RPC on Windows Domain Name System (DNS) Server and absence of a vendor-supplied patch, the threat level has been elevated to AlertCon 2.
2007-04-18 Bugtraq
MS Windows DNS RPC Remote Buffer Overflow Exploit (port 445) v2
Vulnerability Proof Of Concept (CVE-2007-1748)
#Cid: Microsoft_Dns_Server_Exploit_v2.1.zip
#Tested: Windows 2000 Server [ES] SP4
#Tested: Windows 2000 Server [EN] SP4
#Tested: Windows 2000 Server [IT] SP4
#Tested: Windows 2003 [Universal] SP2
2007-04-18 Symantec
W32.Rinbot.BF
Exploit vulnerabilities (CVE-2006-2630, CVE-2006-3439(MS06-040), CVE-2007-1748)
2007-04-17 Microsoft
Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
(CVE-2007-1748)
Ongoing monitoring indicates that we are seeing a new attack that is attempting to exploit this vulnerability.
2007-04-16 03:15 Bugtraq
Microsoft DNS Server Remote Code execution: Analysis and exploit
Vulnerability Proof Of Concept (CVE-2007-1748)
#Cid: Microsoft_Dns_Server_Exploit.zip
#Cid: dnsxpl.rar
#Tested: Windows 2000 Server [ES] SP4
#Tested: Windows 2003 [ES] SP2
2007-04-16 Symantec
W32.Rinbot.BC
Exploit vulnerabilities (CVE-2006-2630, CVE-2006-3439(MS06-040), CVE-2007-1748)
2007-04-16 SANS Internet Storm Center
New Rinbot scanning for port 1025 DNS/RPC
2007-04-16 SANS Internet Storm Center
Update on Microsoft DNS vulnerability
2007-04-16 McAfee
W32/Nirbot.worm!83E1220A
2007-04-15 18:51 Bugtraq
Windows DNS DnssrvQuery Stack Overflow
Vulnerability Proof Of Concept (CVE-2007-1748)
#Cid: 23470-devcode.c
#Tested: Windows Advanced Server
2007-04-13 17:49 US-CERT
TA07-103A: Microsoft Windows DNS RPC Buffer Overflow
Via US-CERT Mailing List
2007-04-13 16:40 Internet Security Systems
AlertCon (1) => (2)
Due to the seriousness of a remote code execution vulnerability in RPC on Windows Domain Name System (DNS) Server and absence of a vendor-supplied patch, the threat level has been elevated to AlertCon 2.
2007-04-13 07:03 US-CERT
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Microsoft has released a security advisory regarding a vulnerability in the Domain Name System (DNS) Server Service.
2007-04-13 06:00 Symantec
ThreatCON (1) => (2)
2007-04-13 Microsoft
Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
(CVE-2007-1748)
Advisory updated to include additional details about Windows Small Business Server. Mitigations also updated to include additional information regarding the affected network port range and firewall configuration.
2007-04-13 Internet Security Systems
Microsoft Windows DNS Server RPC Interface Buffer Overflow
2007-04-13 SANS Internet Storm Center
More info on the Windows DNS RPC interface vulnerability
2007-04-13 SANS Internet Storm Center
Microsoft Vulnerability in RPC on Windows DNS Server
2007-04-13 Microsoft
Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
(CVE-2007-1748)
Advisory "Suggested Actions" section updated to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue.
2007-04-12 Microsoft
Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
(CVE-2007-1748)
Advisory published.

Reference

Date first published (UTC): 2007-04-15T03:07+00:00
Date last updated (UTC): 2007-05-12T18:10+00:00
Valid HTML 4.01!