MS10-024:Microsoft Windows SMTP服务可预测DNS查询ID漏洞

来源:岁月联盟 编辑:猪蛋儿 时间:2010-05-07

影响版本:
Microsoft Exchange Server 2010
Microsoft Exchange Server 2007 SP2
Microsoft Exchange Server 2007 SP1
Microsoft Exchange Server 2003 SP3
Microsoft Exchange Server 2003 SP2
Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2003 SP2
Microsoft Windows 2000 SP4

漏洞描述:
BUGTRAQ  ID: 39908
CVE ID: CVE-2010-1689

Microsoft Windows是微软发布的非常流行的操作系统。

Windows系统中的SMTP服务所生成的DNS查询中transaction ID字段值是可预测的:

/-----
4FB5530C
4FB5530C loc_4FB5530C:
4FB5530C mov     [esi+3Ch], eax
4FB5530F mov     eax, [ebp+arg_8]
4FB55312 mov     ecx, ushort gwTransactionId
4FB55318 inc     word ptr ushort gwTransactionId
4FB5531F shr     eax, 2
4FB55322 not     eax
4FB55324 and     eax, 1
4FB55327 push    eax
4FB55328 push    ecx
4FB55329 push    [ebp+arg_4]
4FB5532C lea     eax, [ebp+hostshort]
4FB5532F push    [ebp+lpMultiByteStr]
4FB55332 push    eax
4FB55333 push    dword ptr [esi+3Ch]
4FB55336 call    DnsWriteQuestionToBuffer_UTF8(x,x,x,x,x,x)
4FB5533B test    eax, eax
4FB5533D jnz     short loc_4FB5537E

- -----/

在4FB55318处用于生成出站DNS查询的查询ID字段的值仅仅是对所发送的新查询进行递增,因此恶意服务器可以相对容易的破解随机数,并通过伪造响应执行中间人等网络欺骗攻击。

<*参考

http://marc.info/?l=full-disclosure&m=127301231908763&w=2
http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx?pf=true

*>

安全建议:
厂商补丁:

Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS10-024)以及相应补丁:
MS10-024:Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
链接:http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx?pf=true