65 lines
3.6 KiB
Plaintext
65 lines
3.6 KiB
Plaintext
module CVE_2020_1350;
|
|
# This script raises notices relating to the CVE-2020-1350 (AKA SIGRed)
|
|
# affecting Windows DNS Server with a CVE score of 10.0
|
|
# Tested on zeek 3.2.0-dev.459
|
|
# Authors: Ben Reardon, Research Team @Corelight. ben.reardon@corelight.com, @benreardon
|
|
# Ryan Victory, Applications Team Manager @Corelight. ryan.victory@corelight.com @beerandraptors
|
|
#
|
|
# Version: 0.21
|
|
export {
|
|
redef enum Notice::Type += {
|
|
CVE_2020_1350_Detected_High_Confidence,
|
|
CVE_2020_1350_Potential
|
|
};
|
|
global AXFR_cuid: table[string] of count &default=0 &write_expire=1hr;
|
|
}
|
|
# A list of DNS Record types: https://en.wikipedia.org/wiki/List_of_DNS_record_types
|
|
# While the primary known attack vector involves the SIG query type,
|
|
# at this stage of development let's select query types that are associated with signatures
|
|
# as these are more likely to be parsed by vulnerable function. SIG, KEY, TKEY and RRSIG
|
|
|
|
# Function to take a dns event and look for indicators of the CVE-2020-1350 exploit
|
|
function handle_dns_event(c: connection, ans: dns_answer)
|
|
{
|
|
# If the connection is a non primary packet of an AXFR, return. Only the first AXFR is marked as so,
|
|
# the following packets are not marked AXFR.
|
|
if (c$uid in AXFR_cuid)
|
|
return;
|
|
|
|
if (c$resp$size >= 65258)
|
|
{
|
|
# A guardrail for Zone transfer types AXFR(252) and IXFR(251) that may legitimately exceed the proxy size of 65535
|
|
if (ans$qtype == 252 || ans$qtype == 251)
|
|
{
|
|
# Need to track the uid of the AXFR because only the first packet is logged as query type AXFR
|
|
++AXFR_cuid[c$uid];
|
|
return;
|
|
}
|
|
local notice_type = CVE_2020_1350_Potential;
|
|
local message = "Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
|
|
if (ans$qtype == 24 || ans$qtype == 25) # SIG/KEY query code and a large response, high confidence!
|
|
{
|
|
notice_type = CVE_2020_1350_Detected_High_Confidence;
|
|
message = "CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (High Confidence, large SIG/KEY response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
|
|
}
|
|
else if (ans$qtype == 46 || ans$qtype == 249) # RRSIG
|
|
{
|
|
message = "Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS RRSIG/TKEY response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/";
|
|
}
|
|
NOTICE([$note=notice_type,
|
|
$conn=c,
|
|
$identifier=cat(c$id$orig_h,c$id$resp_h),
|
|
$msg=message,
|
|
$suppress_for=1 hr]);
|
|
}
|
|
}
|
|
# RRSIG (qtype == 46) currently has it's own zeek event and wouldn't trigger the dns_unknown_reply event
|
|
event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
|
|
{
|
|
handle_dns_event(c, ans);
|
|
}
|
|
# SIG (qtype == 24), KEY (qtype == 25), TKEY (qtype == 249) do not have their own event and so should be parsed by the catch-all event
|
|
event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer)
|
|
{
|
|
handle_dns_event(c, ans);
|
|
} |