Exploiting SIGRed (CVE-2020–1350) on Windows Server 2012/2016/2019
by Worawit Wangwarunyoo, DATAFARM Research Team, Datafarm Company Limited
This post describes the exploitation (RCE) of SIGRed (CVE-2020–1350) on Windows Server 2012 R2 to Windows Server 2019. For vulnerability detail please see the checkpoint research post.
Prepare name servers
I configure Conditional Forwarders on a target Windows DNS Server. I use dnslib to create malicious DNS client and server for evildns.com domain.
Trigger the bug
If we follow the checkpoint post directly, we likely crash inside memcpy called from dns!SigWireRead.
The reason is SIG Resource Record is allocated near the end of process heap. Overwriting past ~64KB leads to invalid heap write and crash.
WinDNS Heap Manager
WinDNS manages its own memory pools with 4 buckets (0x50, 0x68, 0x88, 0xa0). Larger allocations use native Windows heap.
Monitoring Heap Objects
Controlling Program Counter (RIP)
Code Execution
Used msvcrt!system for execution after calculating offset from import table.
