Windows DNS SIGRed bug gets first public RCE PoC exploit

A working proof-of-concept (PoC) exploit is now publicly available for the critical SIGRed Windows DNS Server remote code execution (RCE) vulnerability.

Microsoft issued security updates to address the security flaw tracked as CVE-2020-1350 on July 14, 2020, together with a registry-based workaround that helps protect affected Windows servers from attacks.

SIGRed has existed in Microsoft’s code for over 17 years, it impacts all Windows Server versions 2003 through 2019, and it has received a maximum severity rating of 10 out of 10.

The flaw was classified by Microsoft as wormable, indicating that malware exploiting it might be able to spread automatically between vulnerable machines on the network with no user interaction.

This places it in the same risk category as the Remote Desktop Protocol (RDP) BlueKeep bug and the EternalBlue flaw in Server Message Block (SMB).

Following successful SIGRed exploitation against domain controller (DC) servers running DNS, unauthenticated attackers can achieve remote code execution as SYSTEM.

Tested against multiple Windows Server versions

Grapl lead security researcher Valentina Palmiotti, who shared the PoC, also published a write-up with details on the methods used by the exploit.

“If exploited carefully, attackers can execute code remotely on the vulnerable system and gain Domain Admin rights, effectively compromising the entire corporate infrastructure,” Palmiotti explained.

The working PoC exploit (1, 2) has been tested successfully against unpatched 64-bit versions of Windows Server 2019, 2016, 2012R2, and 2012.

Admins who haven’t yet patched their servers and can’t immediately deploy the necessary security updates can apply Microsoft’s workaround fix (doesn’t require a restart).

Palmiotti’s write-up also includes information on how to create SIEM rules to detect SIGRed exploitation.

The researcher shared a video demo showcasing the SigRed CVE-2020-1350 RCE exploit in action.

Publicly available SIGRed DoS exploits

SIGRed PoC exploits were published before, with scripts designed to trigger denial-of-service (DoS) conditions shared publicly, days after Microsoft patched the bug.

However, this is the first working remote code execution exploit available since Microsoft addressed the vulnerability.

To create this RCE PoC, Palmiotti used some exploiting techniques shared by DATAFARM security researcher Worawit Wang in a write-up published in September 2020.

Two days after Microsoft addressed the bug, CISA ordered federal agencies to patch the wormable SIGRed flaw within 24 hours.

The NSA also issued an advisory [PDF] urging admins to apply the CVE-2020-1350 patch to all Windows Servers immediately.

SIGRed also made it to NSA’s top 25 vulnerabilities actively abused by Chinese-backed hacking groups, together with other critical Windows vulnerabilities like Zerologon and BlueKeep.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s