Since the bug has existed in the code for 17 years, the problem was dangerous for all versions of Windows Server released from 2003 to 2019. To exploit the bug, a hacker could send malicious DNS queries to Windows DNS servers, which entailed the execution of arbitrary code and could lead to the compromise of the entire infrastructure.
The vulnerability was fixed last year as part of the July “Patch Tuesday”.
Now Grapl Lead Information Security Officer Valentina Palmiotti has presented a PoC exploit for SIGRed and also published a detailed report on its work, where she also explains how to create SIEM rules to detect SIGRed exploitation.
My first ever blog post: Anatomy of an Exploit: RCE CVE-2020-1350 #SIGRed. RCE PoC included, for research purposes. This was my first userland Windows heap exploit and I hope a deep dive into the process will help others. Patch or apply the workaround. https://t.co/CFRTs7Wdvs
— chompie (@chompie1337) March 2, 2021
“If used carefully, attackers can remotely execute code on a vulnerable system and gain domain administrator rights, jeopardizing the entire corporate infrastructure,” the expert writes. in the report.
Exploit Palmiotti has been successfully tested (1, 2) on unpatched 64-bit versions of Windows Server 2019, 2016, 2012R2 and 2012. A video demonstration of the attack can be seen below.
It should be noted that exploits for SIGRed appeared earlier, but those versions were only capable of provoking a denial of service (DoS).