PoC exploit published for SIGRed vulnerability – “Hacker”

Poc Exploit Published For Sigred Vulnerability Hacker.jpg

PoC exploit published for SIGRed vulnerability - "Hacker"

Last year, Check Point experts discovered a critical vulnerability in Windows DNS Server, codenamed SigRed and identifier CVE-2020-1350… The vulnerability scored 10 out of 10 on the CVSSv3 vulnerability rating scale. This rating means that the bug is extremely easy to use and requires almost no technical knowledge to operate it. Also, the vulnerability can be used for automated remote attacks and does not require prior authentication.

Since the bug has existed in the code for 17 years, the problem was dangerous for all versions of Windows Server released from 2003 to 2019. To exploit the bug, a hacker could send malicious DNS queries to Windows DNS servers, which entailed the execution of arbitrary code and could lead to the compromise of the entire infrastructure.

The vulnerability was fixed last year as part of the July “Patch Tuesday”.

Now Grapl Lead Information Security Officer Valentina Palmiotti has presented a PoC exploit for SIGRed and also published a detailed report on its work, where she also explains how to create SIEM rules to detect SIGRed exploitation.

“If used carefully, attackers can remotely execute code on a vulnerable system and gain domain administrator rights, jeopardizing the entire corporate infrastructure,” the expert writes. in the report.

Exploit Palmiotti has been successfully tested (1, 2) on unpatched 64-bit versions of Windows Server 2019, 2016, 2012R2 and 2012. A video demonstration of the attack can be seen below.

It should be noted that exploits for SIGRed appeared earlier, but those versions were only capable of provoking a denial of service (DoS).

Leave a Reply

Your email address will not be published. Required fields are marked *