SIGRed Exploit Attempt - CVE-2020-1350

SIGRed is a vulnerability in Windows DNS Server. To exploit this vulnerability, the attacker first sets up a simple DNS infrastructure that includes a registered domain and a DNS server that acts as the authoritative name server (NS) for that domain. When the victim tries to resolve the attacker-controlled domain or sub-domain, the victim sends a DNS query that is ultimately received by the attacker-controlled NS. The NS responds to the victim by sending a SIG resource record, which is a legacy record type for holding digital signatures. Instead of including a small digital signature, however, the attacker includes a large, compressed payload. The Windows DNS implementation on the victim assumes that the maximum SIG record payload size is smaller than a threshold of approximately 65,000 bytes, without considering how decompression affects the SIG record payload size. (The maximum size of a DNS response over a TCP connection is 65,536 bytes, and records typically contain compressed payloads to reduce DNS response size.) Because the decompressed SIG record payload is larger than 65,000 bytes, the DNS resolver allocates too little memory on the heap memory of the victim to process the DNS response. When data is copied into the buffer, a heap-based overflow occurs. Malicious, arbitrary code can now run on the Windows DNS server with Local System Account privileges.