全国咨询热线:18720358503

銆愬畨鍏ㄥ叕鍛娿€慍VE

类别:媒体报道 发布时间:2021-04-14 浏览人次:

銆愬畨鍏ㄥ叕鍛娿€慍VE-2020-1350 Windows DNS鏈嶅姟鍣ㄨ爼铏弗閲嶆紡娲?/h3> :03 鏉ユ簮锛?em>钃濋槦浜?/em>

image.jpeg

浠嬬粛

DNS锛岄€氬父琚О涓?/span>鈥?/span>浜掕仈缃戠數璇濈翱鈥?/span>锛屾槸涓€绉嶅皢浜虹被鍙嬪ソ鐨勮绠楁満涓绘満鍚嶈浆鎹负IP鍦板潃鐨勭綉缁滃崗璁€傜敱浜庡畠鏄?/鐨勬牳蹇冪粍鎴愰儴鍒嗭紝鍥犳瀛樺湪璁稿DNS鏈嶅姟鍣ㄧ殑瑙e喅鏂规鍜屽疄鐜帮紝浣嗘槸鍙湁灏戞暟鍑犵琚箍娉涗娇鐢ㄣ€?/span>

鈥?Windows DNS鏈嶅姟鍣?/span>鈥?/span>鏄?/span>Microsoft鐨勫疄鐜帮紝鏄?/span>Windows鍩熺幆澧冪殑蹇呰缁勬垚閮ㄥ垎鍜岃姹傘€?/span>

SIGRed锛?/span>CVE-2020-1350锛夋槸Windows DNS鏈嶅姟鍣ㄤ腑鐨勪竴涓彲锠曡櫕锛屼弗閲嶆紡娲烇紙CVSS鍩烘湰璇勫垎涓?/span>10.0锛夛紝褰卞搷Windows Server 2003鑷?/span>2019鐗堬紝骞朵笖鍙兘鐢辨伓鎰?/span>DNS鍝嶅簲瑙﹀彂銆傜敱浜庤鏈嶅姟浠ユ彁鍗囩殑鐗规潈锛?/span>SYSTEM锛夎繍琛岋紝鍥犳锛屽鏋滄垚鍔熷埄鐢ㄨ鏈嶅姟锛屽垯浼氬悜鏀诲嚮鑰呮巿浜堝煙绠$悊鍛樻潈闄愶紝浠庤€屾湁鏁堝湴鎹熷浜嗘暣涓叕鍙哥殑鍩虹缁撴瀯銆?/span>

鍔ㄦ満

鎴戜滑鐨勪富瑕佺洰鏍囨槸鎵惧埌涓€涓紡娲烇紝浣挎敾鍑昏€呭彲浠ョ牬鍧?/span>Windows Domain鐜锛屾渶濂芥槸鏈粡韬唤楠岃瘉鐨勭幆澧冦€傚悇绉嶇嫭绔嬪畨鍏ㄧ爺绌朵汉鍛樹互鍙婃皯鏃忓浗瀹惰禐鍔╃殑鐮旂┒閮芥湁寰堝鐩稿叧鐮旂┒銆傚ぇ澶氭暟鍏紑鍜屽彲鍏紑鑾峰緱鐨勮祫鏂欏拰婕忔礊鍒╃敤閮介泦涓湪Microsoft瀵?/span>SMB锛?/span>EternalBlue锛夊拰RDP锛?/span>BlueKeep锛夊崗璁殑瀹炵幇涓婏紝鍥犱负杩欎簺鐩爣鍚屾椂褰卞搷鏈嶅姟鍣ㄥ拰绔偣銆傝鑾峰緱Domain Admin鐗规潈锛屼竴绉嶇洿鎺ョ殑鏂规硶鏄洿鎺ュ埄鐢?/span>Domain Controller銆傚洜姝わ紝鎴戜滑鍐冲畾灏嗙爺绌堕噸鐐规斁鍦ㄤ富瑕佸瓨鍦ㄤ簬Windows Server鍜屽煙鎺у埗鍣ㄤ笂鐨勶紝椴滀负浜虹煡鐨勬敾鍑婚潰涓娿€傝緭鍏?/span>WinDNS銆?/span>

Windows DNS姒傝堪

鈥?nbsp;鍩熷悕绯荤粺锛?/span>DNS锛夋槸鏋勬垚TCP / IP鐨勮涓氭爣鍑嗗崗璁浠朵箣涓€锛屽苟涓?/span>DNS瀹㈡埛绔拰DNS鏈嶅姟鍣ㄥ叡鍚屼负璁$畻鏈哄拰鐢ㄦ埛鎻愪緵璁$畻鏈哄悕绉板埌IP鍦板潃鐨勬槧灏勫悕绉拌В鏋愭湇鍔°€?/span>鈥?鈥?nbsp;寰蒋銆?/span>

DNS涓昏鍦ㄧ鍙?/span>53涓婁娇鐢ㄧ敤鎴锋暟鎹姤鍗忚锛?/span>UDP锛夋潵鏈嶅姟璇锋眰銆?/span>DNS鏌ヨ鍖呮嫭鏉ヨ嚜瀹㈡埛绔殑鍗曚釜UDP璇锋眰鍜屾潵鑷湇鍔″櫒鐨勫崟涓?/span>UDP鍝嶅簲銆?/span>

闄や簡灏嗗悕绉拌浆鎹负IP鍦板潃澶栵紝DNS杩樺叿鏈夊叾浠栫敤閫斻€備緥濡傦紝閭欢浼犺緭浠g悊浣跨敤DNS鏌ユ壘鏈€浣崇殑閭欢鏈嶅姟鍣ㄦ潵浼犻€掔數瀛愰偖浠讹細MX璁板綍鎻愪緵鍩熷拰閭欢浜ゆ崲鍣ㄤ箣闂寸殑鏄犲皠锛岃繖鍙互鎻愪緵闄勫姞鐨勫閿欏拰璐熻浇鍒嗛厤灞傘€傚彲鐢?/span>DNS璁板綍绫诲瀷鍙婂叾瀵瑰簲鐢ㄩ€旂殑鍒楄〃鍙湪Wikipedia涓婃壘鍒般€?/span>

浣嗘槸锛屾湰鍗氬鏂囩珷鐨勭洰鐨勪笉鏄瀵?/span>DNS鍔熻兘鍜屽巻鍙茶繘琛屽啑闀跨殑璁鸿堪锛屽洜姝ゆ垜浠紦鍔辨偍鍦?/span>姝ゅ闃呰鏈夊叧DNS鐨勬洿澶氫俊鎭€?/span>

鎮ㄩ渶瑕佷簡瑙g殑鍐呭锛?/span>

路 DNS閫氳繃UDP / TCP绔彛53杩愯銆?/span>

路 涓€鏉?/span>DNS娑堟伅锛堝搷搴?/span>/鏌ヨ锛夊湪UDP涓檺鍒朵负512瀛楄妭锛屽湪TCP涓檺鍒朵负65,535瀛楄妭銆?/span>

路 DNS鏈川涓婃槸鍒嗗眰鐨勫拰鍒嗘暎鐨勩€傝繖鎰忓懗鐫€褰?/span>DNS鏈嶅姟鍣ㄤ笉鐭ラ亾鏀跺埌鐨勬煡璇㈢殑绛旀鏃讹紝璇ユ煡璇㈠皢杞彂鍒板眰娆$粨鏋勪腑浣嶄簬鍏朵笂鏂圭殑DNS鏈嶅姟鍣ㄣ€傚湪灞傛缁撴瀯鐨勯《閮紝鍏ㄧ悆鍏辨湁13鍙版牴DNS鏈嶅姟鍣ㄣ€?/span>

鍦?/span>Windows涓紝DNS瀹㈡埛绔拰DNS鏈嶅姟鍣ㄥ湪涓や釜涓嶅悓鐨勬ā鍧椾腑瀹炵幇锛?/span>

路 DNS瀹㈡埛绔?/span> 鈥?nbsp;dnsapi.dll璐熻矗DNS瑙f瀽銆?/span>

路 DNS鏈嶅姟鍣?/span> 鈥?nbsp;dns.exe璐熻矗鍦ㄥ畨瑁呬簡DNS瑙掕壊鐨?/span>Windows Server涓婂洖绛?/span>DNS鏌ヨ銆?/span>

鎴戜滑鐨勭爺绌跺洿缁?/span>dns.exe妯″潡杩涜銆?/span>

鍑嗗鐜

鎴戜滑鐨勬敾鍑婚潰涓昏鏈変袱绉嶆儏鍐碉細

1. DNS鏈嶅姟鍣ㄨВ鏋愪紶鍏ユ煡璇㈢殑鏂瑰紡涓殑閿欒銆?/span>

2. DNS鏈嶅姟鍣ㄨВ鏋愯浆鍙戞煡璇㈢殑鍝嶅簲锛堢瓟妗堬級鐨勬柟寮忎腑鐨勯敊璇€?/span>

鐢变簬DNS鏌ヨ娌℃湁澶嶆潅鐨勭粨鏋勶紝鍥犳鍦ㄧ涓€绉嶆儏鍐典笅鍙戠幇瑙f瀽闂鐨勬満浼氳緝灏忥紝鍥犳鎴戜滑鍐冲畾灏嗙洰鏍囧畾浣嶄负瑙f瀽浼犲叆鏌ヨ鐨勫姛鑳戒互杞彂鏌ヨ銆?/span>

濡傚墠鎵€杩帮紝杞彂鏌ヨ鏄埄鐢?/span>DNS浣撶郴缁撴瀯鏉ュ皢涓嶇煡閬撶瓟妗堢殑鏌ヨ杞彂鍒板眰娆$粨鏋勪腑浣嶄簬鍏朵笂鏂圭殑DNS鏈嶅姟鍣ㄣ€?/span>

浣嗘槸锛屽ぇ澶氭暟鐜灏嗗叾杞彂鍣ㄩ厤缃负鐭ュ悕鐨勶紝鍙椾汉灏婃暚鐨?/span>DNS鏈嶅姟鍣紝渚嬪8.8.8.8锛?/span>Google锛夋垨1.1.1.1锛?/span>Cloudflare锛夛紝鎴栬€呰嚦灏戞槸涓嶅彈鏀诲嚮鑰呮帶鍒剁殑鏈嶅姟鍣ㄣ€?/span>

杩欐剰鍛崇潃鍗充娇鎴戜滑鍦ㄨВ鏋?/span>DNS鍝嶅簲鏃跺彂鐜伴棶棰橈紝涔熼渶瑕佸缓绔嬩竴涓腑闂翠汉鏉ュ姞浠ュ埄鐢ㄣ€傛樉鐒讹紝杩欒繕涓嶅銆?/span>

NS璁板綍鏁戞彺

NS浠h〃鈥?/span>鍚嶇О鏈嶅姟鍣?/span>鈥?/span>锛岃璁板綍鎸囩ず鍝釜DNS鏈嶅姟鍣ㄦ槸璇ュ煙鐨勬潈闄愶紙鍝釜鏈嶅姟鍣ㄥ寘鍚疄闄呯殑DNS璁板綍锛夈€?/span>NS璁板綍閫氬父璐熻矗瑙f瀽缁欏畾鍩熺殑瀛愬煙銆備竴涓煙閫氬父鍏锋湁澶氫釜NS璁板綍锛岃繖浜涜褰曞彲浠ユ寚绀鸿鍩熺殑涓昏鍜屽鐢ㄥ悕绉版湇鍔″櫒銆?/span>

鑻ヨ浣跨洰鏍?/span>Windows DNS鏈嶅姟鍣ㄨВ鏋愭潵鑷伓鎰?/span>DNS鍚嶇О鏈嶅姟鍣ㄧ殑鍝嶅簲锛岃鎵ц浠ヤ笅鎿嶄綔锛?/span>

1. 灏嗘垜浠煙鐨勶紙deadbeef.fun锛?/span>NS璁板綍閰嶇疆涓烘寚鍚戞垜浠殑鎭舵剰DNS鏈嶅姟鍣紙ns1..club锛夈€?/span>

2. 鏌ヨ鍙楀Windows DNS鏈嶅姟鍣ㄧ殑NS璁板綍deadbeef.fun銆?/span>

3. 鍙楀DNS灏氫笉鐭ラ亾璇ユ煡璇㈢殑绛旀锛屽皢鏌ヨ杞彂鍒颁綅浜庡叾涓婃柟鐨?/span>DNS鏈嶅姟鍣紙8.8.8.8锛夈€?/span>

4. 鏉冨▉鏈嶅姟鍣紙8.8.8.8锛夌煡閬撶瓟妗堬紝骞跺搷搴旂殑NameServer deadbeef.fun涓?/span>ns1..club銆?/span>

5. 鍙楀Windows DNS鏈嶅姟鍣ㄥ鐞嗗苟缂撳瓨姝ゅ搷搴斻€?/span>

6. 涓嬫鎴戜滑鏌ヨ鐨勫瓙鍩熸椂deadbeef.fun锛岀洰鏍?/span>Windows DNS鏈嶅姟鍣ㄤ篃浼氭煡璇?/span>ns1..club鍏跺搷搴旓紝鍥犱负瀹冩槸璇ュ煙鐨?/span>NameServer銆?/span>

image.png

鍥?/span>1锛氭煡璇㈡垜浠殑鎭舵剰鏈嶅姟鍣ㄧ殑鍙楀DNS鏈嶅姟鍣ㄧ殑鏁版嵁鍖呮崟鑾枫€?/span>

婕忔礊鈥?CVE-2020-1350

鍑芥暟锛?/span>dns.exe!SigWireRead
婕忔礊绫诲瀷锛?/span>鏁存暟婧㈠嚭瀵艰嚧鍩轰簬鍫嗙殑缂撳啿鍖烘孩鍑?/span>

dns.exe 涓烘瘡绉嶅彈鏀寔鐨勫搷搴旂被鍨嬪疄鐜拌В鏋愬姛鑳姐€?/span>

image.png

鍥?/span>2锛?/span> Wire_CreateRecordFromWire锛?/span>RRWireReadTable琚紶閫掔粰RR_DispatchFunctionForType纭畾鐨勫鐞嗗姛鑳姐€?/span>

image.png

鍥?/span>3锛?/span>RRWireReadTable鍙婂叾涓€浜涘彈鏀寔鐨勫搷搴旂被鍨嬨€?/span>

鏀寔鐨勫搷搴旂被鍨嬩箣涓€鏄?/span>SIG鏌ヨ銆傛牴鎹?/span>Wikipedia鐨勮娉曪紝SIG鏌ヨ鏄?/span>SIG锛?/span>0锛夛紙RFC 2931锛夊拰TKEY锛?/span>RFC 2930锛変腑浣跨敤鐨?/span>鈥?nbsp;绛惧悕璁板綍 鈥?nbsp;銆?/span>RFC 3755鎸囧畾RRSIG鏇夸唬DNSSEC鍐呴儴浣跨敤鐨?/span>SIG銆?/span>鈥?/span>

璁╂垜浠鏌ヤ竴涓?/span>Cutter涓?/span>dns.exe!SigWireReadSIG鍝嶅簲绫诲瀷鐨勫鐞嗗嚱鏁扮敓鎴愮殑鍙嶆眹缂栵細

image.png

鍥?/span>4锛?/span>dns.exe!SigWireRead鍦?/span>Cutter涓湅鍒扮殑鎷嗗嵏鍥俱€?/span>

RR_AllocateEx閫氳繃浠ヤ笅鍏紡璁$畻浼犻€掔粰绗竴涓弬鏁帮紙璐熻矗涓?/span>鈥?/span>璧勬簮璁板綍鈥?/span>鍒嗛厤鍐呭瓨鐨勫嚱鏁帮級锛?/span>

[ Name_PacketNameToCountNameEx缁撴灉] + [0x14] + [绛惧悕瀛楁鐨勯暱搴︼紙rdi鈥?nbsp;rax锛?/span>]

绛惧悕瀛楁鐨勫ぇ灏忓彲鑳戒細鏈夋墍涓嶅悓锛屽洜涓哄畠鏄?/span>SIG鍝嶅簲鐨勪富瑕佹湁鏁堣礋杞姐€?/span>

image.png

鍥?/span>5锛氭牴鎹?/span>RFC 2535鐨?/span>SIG璧勬簮璁板綍鐨勭粨鏋勩€?/span>

姝e浣犲彲浠ュ湪涓嬮潰鐨勫浘鐗囦腑鐪嬪埌锛?/span>RR_AllocateEx棰勮鍏跺弬鏁板湪浼犻€?/span>16浣嶅瘎瀛樺櫒锛屽洜涓哄畠浠呬娇鐢?/span>dx閮ㄥ垎rdx鍜?/span>cx閮ㄥ垎rcx銆?/span>

杩欐剰鍛崇潃锛屽鏋滄垜浠彲浠ヤ娇涓婇潰鐨勫叕寮忚緭鍑虹殑缁撴灉澶т簬65,535瀛楄妭锛?/span>16浣嶆暣鏁扮殑鏈€澶у€硷級锛屽垯鏁存暟婧㈠嚭浼氬鑷村垎閰嶇殑鍒嗛厤姣旈鏈熺殑瑕佸皬寰楀锛岃繖鏈夋湜瀵艰嚧鍩轰簬鍫嗙殑鍒嗛厤銆傜紦鍐插尯瑕嗙洊銆?/span>

image.png

鍥?/span>6锛?/span>RR_AllocateEx灏嗗叾鍙傛暟杞崲涓哄叾16浣嶅€笺€?/span>

鏂逛究鍦帮紝姝ゅ垎閰嶇殑鍐呭瓨鍦板潃闅忓悗浣滀负鐨勭洰鏍囩紦鍐插尯浼犻€?/span>memcpy锛屼粠鑰屽鑷村熀浜庡爢鐨勭紦鍐插尯婧㈠嚭銆?/span>

image.png

鍥?/span>7锛氫粠涓垎閰嶇殑缂撳啿鍖?/span>RR_AllocateEx琚紶閫掑埌涓?/span>memcpy銆?/span>

鎬昏€岃█涔嬶紝閫氳繃鍙戦€佸寘鍚ぇ锛堝ぇ浜?/span>64k高清B锛?/span>SIG璁板綍鐨?/span>DNS鍝嶅簲锛屾垜浠彲浠ュ湪灏忕殑鍒嗛厤缂撳啿鍖轰笂寮曡捣澶х害64k高清B鐨勫熀浜庡爢鐨勫彈鎺х紦鍐插尯婧㈠嚭銆?/span>

瑙﹀彂婕忔礊

鐜板湪鎴戜滑鍙互浣垮彈瀹?/span>DNS鏈嶅姟鍣ㄦ煡璇㈡垜浠殑DNS鏈嶅姟鍣ㄤ互瑙e喅鍚勭闂锛屾垜浠凡缁忔湁鏁堝湴灏嗗叾杞彉涓哄鎴风銆傛垜浠彲浠ヤ娇鍙楀DNS鏈嶅姟鍣ㄨ闂垜浠殑鎭舵剰DNS鏈嶅姟鍣ㄧ壒瀹氱被鍨嬬殑鏌ヨ锛屽苟鍒嗗埆浠ュ尮閰嶇殑鎭舵剰鍝嶅簲杩涜鍥炵瓟銆?/span>

鎴戜滑璁や负瑙﹀彂姝ゆ紡娲炴墍闇€瑕佸仛鐨勫彧鏄娇鍙楀DNS鏈嶅姟鍣ㄥ悜鎴戜滑鏌ヨSIG璁板綍锛屽苟涓哄叾鍥炵瓟甯︽湁闀跨鍚嶏紙闀垮害 = 64k高清B锛夌殑SIG鍝嶅簲銆傛垜浠緢澶辨湜鍦板彂鐜板熀浜?/span>UDP鐨?/span>DNS鐨勫ぇ灏忛檺鍒朵负512瀛楄妭锛堝鏋滄湇鍔″櫒鏀寔EDNS0锛屽垯涓?/span>4,096瀛楄妭锛夈€傛棤璁哄浣曪紝杩欎笉瓒充互瑙﹀彂婕忔礊銆?/span>

浣嗘槸锛屽鏋滄湇鍔″櫒鍑轰簬姝e綋鐞嗙敱鍙戦€佸ぇ浜?/span>4,096瀛楄妭鐨勫搷搴斾細鎬庢牱锛熶緥濡傦紝鍐楅暱鐨?/span>TXT鍝嶅簲鎴栧彲浠ヨВ鏋愪负澶氫釜IP鍦板潃鐨勪富鏈哄悕銆?/span>

DNS鎴柇鈥?/span>浣嗘槸锛岃繕鏈夋洿澶氾紒

鏍规嵁DNS RFC 5966锛?/span>
鈥?/em>鍦ㄦ病鏈?/span>EDNS0锛?/span>DNS 0鐨勬墿灞曟満鍒讹級鐨勬儏鍐典笅锛屼换浣?/span>DNS鏈嶅姟鍣ㄩ渶瑕佸彂閫佽秴杩?/span>512瀛楄妭闄愬埗鐨?/span>UDP鍝嶅簲鐨勬甯歌涓烘槸鏈嶅姟鍣ㄦ埅鏂搷搴斾娇鍏剁鍚堣闄愬埗锛岀劧鍚庡湪鍝嶅簲鏍囧ご涓缃?/span>TC鏍囧織銆傚綋瀹㈡埛绔敹鍒拌繖鏍风殑鍝嶅簲鏃讹紝瀹冨皢TC鏍囧織浣滀负鎸囩ず瀹冨簲鏀逛负閫氳繃TCP閲嶈瘯銆?/span>鈥?/span>

澶э紒鍥犳锛屾垜浠彲浠?/span>TC鍦ㄥ搷搴斾腑璁剧疆锛堟埅鏂級鏍囧織锛岃繖灏嗗鑷寸洰鏍?/span>Windows DNS鏈嶅姟鍣ㄥ惎鍔ㄤ笌鎭舵剰NameServer鐨勬柊TCP杩炴帴锛屽苟涓旀垜浠彲浠ヤ紶閫掑ぇ浜?/span>4,096瀛楄妭鐨勬秷鎭€備絾鏄澶у灏戯紵

鏍规嵁DNS RFC 7766锛?/span>
鈥?/em> DNS瀹㈡埛绔拰鏈嶅姟鍣ㄥ簲鍚屾椂锛堜緥濡傦紝鍦ㄥ崟涓?/span>鈥?/span>鍐欏叆鈥?/span>绯荤粺璋冪敤涓級灏嗕袱涓叓浣嶅瓧鑺傜殑闀垮害瀛楁浠ュ強璇ラ暱搴﹀瓧娈垫弿杩扮殑娑堟伅浼犻€掑埌TCP灞傦紝浠ヤ娇寰楁墍鏈夋暟鎹洿鏈夊彲鑳藉湪鍗曚釜TCP娈典腑浼犺緭銆?/span>鈥?/span>

鐢变簬閭欢鐨勫墠涓や釜瀛楄妭琛ㄧず鍏堕暱搴︼紝鍥犳TCP涓?/span>DNS涓偖浠剁殑鏈€澶уぇ灏忚〃绀轰负16浣嶏紝鍥犳闄愬埗涓?/span>64k高清B銆?/span>

image.png

鍥?/span>8锛?/span>DNS over TCP娑堟伅鐨勫墠涓や釜瀛楄妭浠h〃娑堟伅鐨勯暱搴︺€?/span>

浣嗘槸锛屽嵆浣块暱搴︿负65,535鐨勬秷鎭篃涓嶈冻浠ヨЕ鍙戞紡娲烇紝鍥犱负娑堟伅闀垮害鍖呮嫭鏍囧ご鍜屽師濮嬫煡璇€傝绠椾紶閫掔粰鐨勫ぇ灏忔椂锛屼笉浼氳€冭檻姝ゅ紑閿€RR_AllocateEx銆?/span>

DNS鎸囬拡鍘嬬缉鈥?/span>灏戝嵆鏄

璁╂垜浠啀鏉ョ湅涓€涓悎娉曠殑DNS鍝嶅簲锛堜负鏂逛究璧疯锛屾垜浠€夋嫨浜嗙被鍨?/span>A鐨勫搷搴旓級銆?/span>

image.png

鍥?/span>9锛氱殑DNS鍝嶅簲dig A @8.8.8.8锛屽Wireshark鎵€绀恒€?/span>

鎮ㄥ彲浠ョ湅鍒?/span>Wireshark 0xc00c灏嗙瓟妗堢殑鍚嶇О瀛楁涓殑瀛楄妭璇勪及涓?/span>銆傞棶棰樻槸锛屼负浠€涔堬紵

鏍规嵁瀵?/span>琛ㄧず锛?/span>
鈥?/em>涓轰簡灏嗗敖鍙兘澶氱殑淇℃伅鍘嬬缉鍒?/span>512瀛楄妭涓紝鍙互锛堥€氬父蹇呴』锛夊帇缂?/span>DNS鍚嶇О鈥︹€?/span>鍦ㄨ繖绉嶆儏鍐典笅锛岀瓟妗堢殑DNS鍚嶇О缂栫爜涓?/span>0xc0 0x0c銆?/span>c0閮ㄥ垎璁剧疆浜嗕袱涓渶楂樻湁鏁堜綅锛岃〃绀烘帴涓嬫潵鐨?/span>6 + 8浣嶆槸鎸囧悜娑堟伅涓緝鏃╀綅缃殑鎸囬拡銆傚湪杩欑鎯呭喌涓嬶紝杩欐寚鍚戞暟鎹寘鍐呯殑浣嶇疆12锛?/span>= 0x0c锛夛紝绱ч殢DNS澶翠箣鍚庛€?/span>鈥?/span>

涓庢暟鎹寘寮€澶寸殑鍋忕Щ閲?/span>0x0c锛?/span>12锛夋槸浠€涔堬紵鏄?/span>鍟婏紒

鍦ㄨ繖绉嶅帇缂╁舰寮忎腑锛屾寚閽堟寚鍚戠紪鐮佸瓧绗︿覆鐨勫紑澶淬€傚湪DNS涓紝瀛楃涓茶缂栫爜涓猴紙 size   value 锛夐摼銆?/span>

image.png

鍥?/span>10锛?/span> size   value 閾剧殑绀烘剰鍥俱€?/span>

鍥犳锛屾垜浠彲浠ヤ娇鐢?/span>鈥?/span>榄旀湳鈥?/span>瀛楄妭0xc0浠庢暟鎹寘涓紩鐢ㄥ瓧绗︿覆銆傝鎴戜滑鍐嶆妫€鏌ヨ绠椾紶閫掑埌鐨勫ぇ灏忕殑鍏紡RR_AllocateEx锛?/span>

[ Name_PacketNameToCountNameEx缁撴灉] + [0x14] + [绛惧悕瀛楁鐨勯暱搴︼紙rdi鈥?nbsp;rax锛?/span>]

鍙嶅悜Name_PacketNameToCountNameEx纭鎴戜滑涓婇潰鎻忚堪鐨勮涓恒€傜洰鐨?/span>Name_PacketNameToCountNameEx鏄绠楀悕绉板瓧娈电殑澶у皬锛屽苟鑰冭檻鎸囬拡鍘嬬缉銆傚綋浠呯敤涓や釜瀛楄妭琛ㄧず鍒嗛厤鏃讹紝鎷ユ湁涓€涓厑璁告垜浠ぇ閲忓鍔犲垎閰嶅ぇ灏忕殑鍩哄厓姝f槸鎴戜滑鎵€闇€瑕佺殑銆?/span>

鍥犳锛屾垜浠彲浠ュ湪SIG绛惧悕鑰呯殑鈥?/span>鍚嶇О鈥?/span>瀛楁涓娇鐢ㄦ寚閽堝帇缂┿€備絾鏄紝浠呮寚瀹?/span>0xc00c涓虹鍚嶈€呯殑鍚嶇О涓嶄細寮曡捣婧㈠嚭锛屽洜涓烘煡璇㈢殑鍩熷悕宸茬粡瀛樺湪浜庢煡璇腑锛屽苟涓斾粠鍒嗛厤鐨勫€间腑鍑忓幓寮€閿€澶у皬銆備絾鏄憿0xc00d锛熸垜浠敮涓€闇€瑕佹弧瓒崇殑绾︽潫鏄紪鐮佺殑瀛楃涓叉槸鏈夋晥鐨勶紙浠ョ粨灏?/span>0x0000锛夛紝骞朵笖鎴戜滑鍙互杞绘澗鍋氬埌杩欎竴鐐癸紝鍥犱负鎴戜滑鏈変竴涓病鏈変换浣曞瓧绗︾害鏉熺殑瀛楁-绛惧悕鍊笺€傚浜庡煙.fun锛?/span>0xc00d鎸囧悜鍩熺殑绗竴涓瓧绗︼紙 4 锛夈€傜劧鍚庯紝灏嗘瀛楃鐨勫簭鏁板€肩敤浣滄湭鍘嬬缉瀛楃涓茬殑澶у皬锛?/span>鈥?4鈥?/span>琛ㄧず鍊?/span>0x34锛?/span>52锛夛級銆傝鏈帇缂╁瓧绗︿覆鐨勫ぇ灏忓姞涓婃垜浠彲浠ュ湪Signature瀛楁涓绾崇殑鏈€澶ф暟鎹噺锛堟渶澶?/span>65,535锛屽叿浣撳彇鍐充簬鍘熷鏌ヨ锛夌殑姹囨€诲皢瀵艰嚧澶т簬65,535瀛楄妭鐨勫€硷紝浠庤€屽鑷存孩鍑猴紒

璁╂垜浠敤杩炴帴鍒扮殑WinDBG杩涜娴嬭瘯dns.exe锛?/span>

image.png

鎴戜滑鍧犳瘉浜嗭紒

灏界浼间箮鐢变簬璇曞浘灏嗗€煎啓鍏ユ湭鏄犲皠鐨勫唴瀛樿€屼娇鎴戜滑宕╂簝锛屼絾鏄彲浠ヤ互鍏佽鎴戜滑瑕嗙洊涓€浜涙湁鎰忎箟鐨勫€肩殑鏂瑰紡鏉ヨ皟鏁村爢鐨勫舰鐘躲€?/span>

杩樺€煎緱涓€鎻愮殑鏄紝鐢变簬SIG璁板綍鍜?/span>RRSIG璁板綍鍏锋湁鐩稿悓鐨勭粨鏋勶紝鍥犳Microsoft浣跨敤鐩稿悓鐨勫嚱鏁帮紙SigWireRead锛夋潵瑙f瀽杩欎袱绉嶈褰曠被鍨嬨€傚湪妫€鏌ユ椂鍙互鐪嬪埌RRWireReadTable锛氱储寮?/span>0x18锛?/span>24锛夊拰46锛?/span>0x2e锛夐兘鎸囧悜璇ュ嚱鏁?/span>SigWireRead銆?/span>
杩欐剰鍛崇潃璁板綍绫诲瀷SIG鍜?/span>RRSIG鍧囧彲鐢ㄤ簬瑙﹀彂姝ゆ紡娲烇紝鍥犱负瀹冧滑鏄敱鐩稿悓鐨勬槗鍙楁敾鍑荤殑鍑芥暟-瑙f瀽鐨?/span>SigWireRead銆?/span>

dns.exe鍙互鍦ㄧ嚎鑾峰彇浠ュ墠鐨勫埄鐢ㄥ皾璇曘€備緥濡傦細鏇存繁鍏ュ湴浜嗚Вms11-058銆?/span>

浠庢祻瑙堝櫒瑙﹀彂

鎴戜滑鐭ラ亾姝ら敊璇彲鑳芥槸鐢?/span>LAN鐜涓瓨鍦ㄧ殑鎭舵剰鍙備笌鑰呰Е鍙戠殑銆備絾鏄紝鎴戜滑璁や负鐪嬬湅鏄惁鍙互鍦ㄦ病鏈?/span>LAN璁块棶鏉冮檺鐨勬儏鍐典笅杩滅▼瑙﹀彂姝ら敊璇細寰堟湁瓒c€?/span>

鍦?/span>HTTP涓蛋绉?/span>DNS

鍒扮幇鍦ㄤ负姝紝鎮ㄥ簲璇ョ煡閬?/span>DNS鍙互閫氳繃TCP浼犺緭锛屽苟涓?/span>Windows DNS Server鏀寔姝よ繛鎺ョ被鍨嬨€傛偍杩樺簲璇ョ啛鎮夊熀浜?/span>TCP鐨?/span>DNS鐨勭粨鏋勶紝浠ラ槻涓囦竴锛岃繖閲屾湁涓揩閫熺殑鍥為【锛?/span>

image.png

鍥?/span>11锛?/span>DNS over TCP娑堟伅鏍煎紡銆?/span>

鑰冭檻浠ヤ笅鏍囧噯HTTP鏈夋晥璐熻浇锛?/span>


0000   50 4f 53 54 20 2f 70 77 6e 20 48 54 54 50 2f 31   POST /pwn HTTP/1
0010   2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d   .1..Accept: */*.
0020   0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f   .Referer: http:/


鍗充娇杩欐槸HTTP鏈夋晥璐熻浇锛屽皢鍏跺彂閫佸埌绔彛53涓婄殑鐩爣DNS鏈嶅姟鍣ㄤ篃浼氬鑷?/span>Windows DNS Server灏嗘鏈夋晥璐熻浇瑙i噴涓?/span>DNS鏌ヨ銆傚畠浣跨敤浠ヤ笅缁撴瀯杩涜姝ゆ搷浣滐細


0000   50 4f 53 54 20 2f 70 77 6e 20 48 54 54 50 2f 31   POST /pwn HTTP/1
0010   2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d   .1..Accept: */*.
0020   0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f   .Referer: http:/



Message Length: 20559 (0x504f)
Transaction ID: 0x5354
Flags: 0x202f
Questions: 28791 (0x7077)
Answer RRs: 28192 (0x6e20)
Authority RRs: 18516 (0x4854)
Additional RRs: 21584 (0x5450)
Queries: [...]


 

骞歌繍鐨勬槸锛?/span>Windows DNS鏈嶅姟鍣ㄦ敮鎸?/span>RFC 7766鐨?/span> 鈥?/span>杩炴帴閲嶇敤鈥?/span>鍜?/span>鈥?/span>绠¢亾閲嶇敤鈥?nbsp;锛岃繖鎰忓懗鐫€鎴戜滑鍙互鍦ㄥ崟涓?/span>TCP浼氳瘽涓婂彂鍑哄涓煡璇紝鑰屾垜浠棤闇€绛夊緟绛斿灏卞彲浠ヨ繖鏍峰仛銆?/span>

涓轰粈涔堣繖寰堥噸瑕侊紵

褰撳彈瀹宠€呰闂垜浠帶鍒剁殑缃戠珯鏃讹紝鎴戜滑鍙互浣跨敤鍩烘湰鐨?/span>JavaScript浠庢祻瑙堝櫒鍚?/span>DNS鏈嶅姟鍣ㄥ彂鍑?/span>POST璇锋眰銆備絾鏄紝濡備笂鎵€绀猴紝POST璇锋眰浠ユ垜浠棤娉曟帶鍒剁殑鏂瑰紡杩涜瑙i噴銆?/span>

浣嗘槸锛屾垜浠彲浠ラ€氳繃灏?/span>甯︽湁浜岃繘鍒舵暟鎹殑HTTP POST璇锋眰鍙戦€佸埌鐩爣DNS鏈嶅姟鍣紙锛夋潵婊ョ敤鈥?/span>杩炴帴閲嶇敤鈥?/span>鍜?/span>鈥?/span>绠¢亾浼犻€?/span>鈥?/span>鍔熻兘锛岃浜岃繘鍒舵暟鎹湪POST鏁版嵁涓寘鍚彟涓€涓?/span>鈥?/span>璧扮鐨?/span>鈥?DNS鏌ヨ锛岄渶瑕佸垎鍒繘琛屾煡璇€?/span>

鎴戜滑鐨?/span>HTTP鏈夋晥璐熻浇鍖呮嫭浠ヤ笅鍐呭锛?/span>

路 HTTP璇锋眰澶达紝鎴戜滑涓嶆帶鍒讹紙User-Agent锛?/span>Referer锛岀瓑锛夈€?/span>

路 鈥?/span>濉厖鈥?/span>锛屼互渚跨涓€涓?/span>DNS鏌ヨ鍦?/span>POST鏁版嵁鍐呭叿鏈夐€傚綋鐨勯暱搴︼紙0x504f锛夈€?/span>

路 POST鏁版嵁涓殑鈥?/span>璧扮鈥?DNS鏌ヨ銆?/span>

image.png

鍥?/span>12锛氬湪鍗曚釜TCP浼氳瘽涓殑澶氫釜鏌ヨ锛屽Wireshark鎵€绀恒€?/span>

瀹為檯涓婏紝澶у鏁版祦琛岀殑娴忚鍣紙渚嬪Google Chrome鍜?/span>Mozilla Firefox锛夐兘涓嶅厑璁?/span>HTTP璇锋眰璁块棶绔彛53锛屽洜姝ゅ彧鑳藉湪鏈夐檺鐨勪竴缁?/span>Web娴忚鍣ㄤ腑鍒╃敤姝?/span>bug锛屽寘鎷?/ Explorer鍜?/span>Microsoft Edge锛堝熀浜庨潪Chromium锛?/span> 锛夈€?/span>

鍙樺紓鍒嗘瀽

鍑虹幇姝ら敊璇殑涓昏鍘熷洜鏄洜涓?/span>RR_AllocateExAPI鏈熸湜size鍙傛暟涓?/span>16浣嶃€傞€氬父鍙互瀹夊叏鍦板亣璁惧崟涓?/span>DNS娑堟伅鐨勫ぇ灏忎笉瓒呰繃64k高清B锛屽洜姝ゆ琛屼负搴旇涓嶄細寮曡捣闂銆備絾鏄紝姝e鎴戜滑鍒氬垰鐪嬪埌鐨勯偅鏍凤紝褰?/span>Name_PacketNameToCountNameEx鍦ㄨ绠楃紦鍐插尯澶у皬鏃惰€冭檻鍒扮粨鏋滄椂锛岃繖绉嶅亣璁炬槸閿欒鐨勩€傚彂鐢熻繖绉嶆儏鍐垫槸鍥犱负璇?/span>Name_PacketNameToCountNameEx鍑芥暟璁$畻鐨勬槸鏈帇缂╁悕绉扮殑鏈夋晥澶у皬锛岃€屼笉鏄叾鍦ㄦ暟鎹寘涓〃绀鸿瀛楄妭鎵€鑺辫垂鐨勫瓧鑺傛暟銆?/span>

瑕佹煡鎵炬閿欒鐨勫叾浠栧彉浣擄紝鎴戜滑闇€瑕佹壘鍒颁竴涓弧瓒充互涓嬫潯浠剁殑鍑芥暟锛?/span>

路 RR_AllocateEx 浠ュ彲鍙樺ぇ灏忥紙鑰屼笉鏄亽瀹氬€硷級璋冪敤銆?/span>

路 璋冪敤浜?/span>Name_PacketNameToCountNameEx锛屽叾缁撴灉鐢ㄤ簬璁$畻浼犻€掔粰鐨勫ぇ灏?/span>RR_AllocateEx銆?/span>

路 RR_AllocateEx浣跨敤16浣嶆垨鏇村ぇ鑼冨洿鍐呯殑鍊兼潵璁$畻瑕佷紶閫掔粰鐨勫€笺€?/span>

dns.exe婊¤冻杩欎笁涓潯浠剁殑鍞竴鍏朵粬鍔熻兘鏄?/span>NsecWireRead銆傝鎴戜滑妫€鏌ヤ竴涓嬫垜浠€氳繃鍙嶇紪璇戝嚱鏁板緱鍑虹殑浠ヤ笅绠€鍖栦唬鐮佺墖娈碉細

RESOURCE_RECORD* NsecWireRead(PARSED_WIRE_RECORD *pParsedWireRecord, DNS_PACKET *pPacket, BYTE *pRecordData, WORD wRecordDataLength)
DNS_RESOURCE_RECORD *pResourceRecord;
unsigned BYTE *pCurrentPos;
unsigned int dwRemainingDataLength;
unsigned int dwBytesRead;
unsigned int dwAllocationSize;
DNS_COUNT_NAME countName;
pResourceRecord = NULL;
pCurrentPos = Name_PacketNameToCountNameEx( countName, pPacket, pRecordData, pRecordData + wRecordDataLength, 0);
if (pCurrentPos)
(pCurrentPos  = pRecordData //  -- Check #1 - Bounds check
  pCurrentPos - pRecordData  = 0xFFFFFFFF //  -- Check #2 - Same bounds check (?)
  wRecordDataLength  = (unsigned int)(pCurrentPos - pRecordData)) //  -- Check #3 - Bounds check
dwRemainingDataLength = wRecordDataLength - (pCurrentPos - pRecordData);
dwBytesRead = countName.bNameLength + 2;
// size := len(countName) + 2 + len(payload)
dwAllocationSize = dwBytesRead + dwRemainingDataLength;
if (dwBytesRead + dwRemainingDataLength  = dwBytesRead //  -- Check #4 - Integer Overflow check (32 bits)
  dwAllocationSize  = 0xFFFF) //  -- Check #5 - Integer Overflow check (16 bits)
pResourceRecord = RR_AllocateEx(dwAllocationSize, 0, 0);
if (pResourceRecord)
Name_CopyCountName( pResourceRecord- data,  countName);
memcpy( pResourceRecord- data + pResourceRecord- data- bOffset + 2, pCurrentPos, dwRemainingDataLength);
return pResourceRecord;
}


濡傛偍鎵€瑙侊紝姝ゅ姛鑳藉寘鍚澶氬畨鍏ㄦ鏌ャ€傚叾涓竴椤癸紙妫€鏌ワ純5锛夋槸16浣嶆孩鍑烘鏌ワ紝鍙槻姝㈡鍔熻兘鐨勬紡娲炲彉鍨嬨€傛垜浠繕瑕佹彁鍙婄殑鏄紝姝ゅ姛鑳芥瘮涓殑鏅€氬姛鑳藉叿鏈夋洿澶氱殑瀹夊叏鎬ф鏌?/span>dns.exe锛岃繖浣挎垜浠兂鐭ラ亾鏄惁宸茬粡娉ㄦ剰鍒板苟淇浜嗚閿欒锛屼絾浠呭湪璇ョ壒瀹氬姛鑳戒腑銆?/span>

濡傚墠鎵€杩帮紝Microsoft鍦ㄤ袱涓笉鍚岀殑妯″潡涓疄鐜颁簡DNS瀹㈡埛绔拰DNS鏈嶅姟鍣ㄣ€傝櫧鐒舵垜浠殑婕忔礊纭疄瀛樺湪浜?/span>DNS鏈嶅姟鍣ㄤ腑锛屼絾鎴戜滑鎯崇湅鐪嬪畠鏄惁涔熷瓨鍦ㄤ簬DNS瀹㈡埛绔腑銆?/span>

image.png

鍥?/span>13锛?/span>Sig_RecordReadfrom鐨勫弽姹囩紪鐗囨dnsapi.dll銆?/span>

鐪嬭捣鏉ワ紝涓庝笉鍚?/span>dns.exe!SigWireRead锛?/span>dnsapi.dll!Sig_RecordRead 瀹冪‘瀹?/span>楠岃瘉浜?/span>Sig_RecordRead+D0浼犻€掔粰鍏剁殑鍊?/span>dnsapi.dll!Dns_AllocateRecordEx灏忎簬0xFFFF瀛楄妭锛屼粠鑰岄槻姝簡婧㈠嚭銆?/span>

姝ゆ紡娲炰笉瀛樺湪dnsapi.dll锛屽苟涓斾袱涓ā鍧椾箣闂寸殑鍛藉悕绾﹀畾涓嶅悓锛岃繖涓€浜嬪疄浣挎垜浠浉淇?/span>Microsoft绠$悊DNS鏈嶅姟鍣ㄥ拰DNS瀹㈡埛绔殑涓や釜瀹屽叏涓嶅悓鐨勪唬鐮佸簱锛屽苟涓斾笉鍚屾閿欒琛ヤ竵浠栦滑銆?/span>

寮€鍙戣鍒?/span>

鏍规嵁Microsoft鐨勮姹傦紝鎴戜滑鍐冲畾淇濈暀鏈夊叧婕忔礊鍒╃敤鍘熻鐨勪俊鎭紝浠ヤ究涓虹敤鎴锋彁渚涜冻澶熺殑鏃堕棿淇ˉ鍏?/span>DNS鏈嶅姟鍣ㄣ€傜浉鍙嶏紝鎴戜滑璁ㄨ浜嗛€傜敤浜?/span>Windows Server 2012R2鐨勫紑鍙戣鍒掋€備絾鏄紝鎴戜滑纭疄璁や负璇ヨ鍒掍篃搴旈€傜敤浜庡叾浠栫増鏈殑Windows Server銆?/span>

璇?/span>dns.exe浜岃繘鍒舵枃浠舵槸浣跨敤Control Flow Guard锛?/span>CFG锛夌紪璇戠殑锛岃繖鎰忓懗鐫€瑕嗙洊鍐呭瓨涓嚱鏁版寚閽堢殑浼犵粺鏂规硶涓嶈冻浠ュ埄鐢ㄦbug銆傚鏋滄浜岃繘鍒舵枃浠朵笉鏄娇鐢?/span>CFG缂栬瘧鐨勶紝閭d箞鍒╃敤姝ら敊璇皢闈炲父绠€鍗曪紝鍥犱负寰堟棭浠ュ墠鎴戜滑灏遍亣鍒颁簡浠ヤ笅宕╂簝锛?/span>

image.png

鍥?/span>14锛氬湪宕╂簝ntdll!LdrpValidateUserCallTarget銆?/span>

濡傛偍鎵€瑙侊紝鎴戜滑鍦ㄥ潬姣?/span>ntdll!LdrpValidateUserCallTarget銆傝繖鏄礋璐i獙璇佷綔涓?/span>CFG涓€閮ㄥ垎鐨勫嚱鏁版寚閽堢洰鏍囩殑鍑芥暟銆傛垜浠彲浠ョ湅鍒帮紝寰呴獙璇佺殑鎸囬拡锛?/span>rcx锛夋槸瀹屽叏鍙帶鐨勶紝杩欐剰鍛崇潃鎴戜滑鍦ㄦ杩囩▼涓殑鏌愬鎴愬姛閲嶅啓浜嗗嚱鏁版寚閽堛€傛垜浠湅鍒板穿婧冪殑鍘熷洜鏄紝鍑芥暟鎸囬拡琚敤浣滄瘡涓湴鍧€鍏锋湁鈥?/span>鍏佽鈥?/鈥?/span>涓嶅厑璁?/span>鈥?/span>浣嶇殑鍏ㄥ眬浣嶅浘琛ㄧ殑绱㈠紩锛岃€屾垜浠殑浠绘剰鍦板潃瀵艰嚧瀵硅琛ㄦ湰韬腑鏈槧灏勯〉闈㈢殑璇诲彇銆?/span>

涓轰簡鍦ㄥ厠鏈?/span>CFG鐨勫悓鏃跺皢姝ゆ紡娲炲埄鐢ㄥ埌瀹屾暣鐨勮繙绋嬩唬鐮佹墽琛屼腑锛屾垜浠渶瑕佹壘鍒板叿鏈変互涓嬪姛鑳界殑鍘熻锛氬湪鍝噷鍐欙紙绮剧‘鍦拌鐩栧爢鏍堜笂鐨勮繑鍥炲湴鍧€锛夊拰淇℃伅娉勬紡锛堟硠婕忓唴瀛樺湴鍧€锛?/span> 锛屼緥濡傚爢鏍堬級銆?/span>

淇℃伅娉勬紡

涓轰簡瀹炵幇Infoleak鍘熻锛屾垜浠娇鐢ㄦ孩鍑烘潵鐮村潖浠嶅湪缂撳瓨涓殑DNS璧勬簮璁板綍鐨勫厓鏁版嵁銆傜劧鍚庯紝褰撳啀娆′粠缂撳瓨涓煡璇㈡椂锛屾垜浠兘澶熸硠婕忕浉閭荤殑鍫嗗唴瀛樸€?/span>

WinDNS鐨勫爢绠$悊鍣?/span>

WinDNS浣跨敤璇ュ姛鑳?/span>Mem_Alloc鍔ㄦ€佸垎閰嶅唴瀛樸€傛鍔熻兘绠$悊鑷繁鐨勫唴瀛樻睜锛屼互鐢ㄤ綔鏈夋晥鐨勭紦瀛樸€傛湁4涓唴瀛樻睜瀛樺偍鍖猴紝鐢ㄤ簬涓嶅悓鐨勫垎閰嶅ぇ灏忥紙鏈€澶т负0x50銆?/span>0x68銆?/span>0x88銆?/span>0xA0锛夈€傚鏋滆姹傜殑鍒嗛厤澶у皬澶т簬0xA0瀛楄妭锛屽垯榛樿涓?/span>HeapAlloc锛屼娇鐢ㄦ湰鍦?/span>Windows鍫嗐€傚爢绠$悊鍣ㄤ负鍐呭瓨姹犲ご鍒嗛厤棰濆鐨?/span>0x10瀛楄妭锛屽叾涓寘鍚厓鏁版嵁锛屽寘鎷紦鍐插尯鐨勭被鍨嬶紙宸插垎閰?/span>/绌洪棽锛夛紝鎸囧悜涓嬩竴涓彲鐢ㄥ唴瀛樺潡鐨勬寚閽堬紝鐢ㄤ簬璋冭瘯妫€鏌ョ殑cookie绛夈€傚爢绠$悊鍣ㄤ互鍗曢摼鎺ュ垪琛ㄧ殑鏂瑰紡瀹炵幇浜嗗叾鍒嗛厤鍒楄〃锛岃繖鎰忓懗鐫€灏嗘寜鐓ч噴鏀炬椂鐨勭浉鍙嶉『搴忓垎閰嶅潡锛?/span>LIFO锛夈€?/span>

鍐欏湪鍝噷

涓轰簡瀹炵幇鈥?/span>鍦ㄥ摢閲屽啓鈥?/span>鍘熻锛屾垜浠€氳繃鐮村潖鍧楃殑鏍囧ご锛堝厓鏁版嵁锛夛紝浜嬪疄涓婄牬鍧忎簡绌洪棽鍒楄〃鏉ユ敾鍑?/span>WinDNS鍫嗙鐞嗗櫒銆?/span>

鍦ㄧ┖闂插垪琛ㄦ崯鍧忎箣鍚庯紝涓嬫鎴戜滑灏濊瘯鍒嗛厤澶у皬鍚堥€傜殑浠讳綍鍐呭鏃讹紝鍐呭瓨鍒嗛厤鍣ㄩ兘浼氫负鎴戜滑鍒嗛厤鎴戜滑閫夋嫨鐨勫唴瀛樺尯鍩熶綔涓哄彲鍐欏垎閰?/span>鈥撯€?Malloc-Where鈥?/span>鍒╃敤鍘熻銆?/span>

瑕佺粫杩?/span>CFG锛屾垜浠笇鏈涜鍐呭瓨鍖哄煙浣嶄簬鍫嗘爤涓婏紙鐢变簬淇℃伅娉勬紡锛屾垜浠笇鏈涚煡閬撳叾浣嶇疆锛夈€備竴鏃﹀湪鍫嗘爤涓婂叿鏈夊啓鍔熻兘锛屽氨鍙互灏嗚繑鍥炲湴鍧€瑕嗙洊鍒拌鎵ц鐨勫湴鍧€锛屼粠鑰屾湁鏁堝湴鍔寔浜嗘墽琛屾祦绋嬨€?/span>

鍊煎緱涓€鎻愮殑鏄紝榛樿鎯呭喌涓嬶紝DNS鏈嶅姟浼氬湪鍓?/span>3娆″穿婧冧腑閲嶆柊鍚姩锛屼粠鑰屽鍔犱簡鎴愬姛鍒╃敤鐨勬満浼氥€?/span>

缁撹

Microsoft宸茬‘璁ゆ楂樹弗閲嶆€ф紡娲烇紝骞跺皢鍏跺垎閰嶇粰CVE-2020-1350銆?/span>

鎴戜滑鐩镐俊锛屽埄鐢ㄦ婕忔礊鐨勫彲鑳芥€у緢楂橈紝鍥犱负鎴戜滑鍦ㄥ唴閮ㄥ彂鐜颁簡鍒╃敤姝ゆ紡娲炴墍闇€鐨勬墍鏈夊師璇€傜敱浜庢椂闂撮檺鍒讹紝鎴戜滑娌℃湁缁х画杩芥眰璇ユ紡娲炵殑鍒╃敤锛堝寘鎷皢鎵€鏈夊埄鐢ㄥ師璇摼鎺ュ湪涓€璧凤級锛屼絾鎴戜滑纭疄鐩镐俊锛屽潥瀹氱殑鏀诲嚮鑰呭皢鑳藉鍒╃敤瀹冦€傛垚鍔熷埄鐢ㄦ婕忔礊灏嗕骇鐢熶弗閲嶅奖鍝嶏紝鍥犱负鎮ㄧ粡甯镐細鍙戠幇鏈墦琛ヤ竵鐨?/span>Windows鍩熺幆澧冿紝灏ゅ叾鏄煙鎺у埗鍣ㄣ€鏈嶅姟鎻愪緵鍟嗭紙ISP锛夌敋鑷冲彲鑳藉凡灏嗗叾鍏叡DNS鏈嶅姟鍣ㄨ缃负WinDNS銆?/span>

寮虹儓寤鸿鐢ㄦ埛淇ˉ鍙楀奖鍝嶇殑Windows DNS鏈嶅姟鍣紝浠ラ槻姝㈠埄鐢ㄦ婕忔礊銆?/span>

浣滀负涓存椂鐨勮В鍐虫柟娉曪紝鍦ㄥ簲鐢ㄨˉ涓佷箣鍓嶏紝寤鸿灏?/span>DNS娑堟伅锛堥€氳繃TCP锛夌殑鏈€澶ч暱搴﹁缃负0xFF00锛岃繖鏍峰彲浠ユ秷闄ゆ婕忔礊銆傛偍鍙互閫氳繃鎵ц浠ヤ笅鍛戒护鏉ヨ繖鏍峰仛锛?/span>

reg add  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters  /v  TcpReceivePacketSize  /t REG_DWORD /d 0xFF00 /f

learning/dns/what-is-dns/

html/rfc7766

html/rfc5966

html/rfc2535

闈炲父鎰熻阿鎴戠殑鍚屼簨Eyal Itkin锛?/span>@EyalItkin锛夊拰Omri Herscovici锛?/span>@omriher锛夊湪杩欓」鐮旂┒涓殑甯姪銆?/span>


鏂囩珷杞嚜

2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/



4006-75-4006锛?9:00-23:30锛?br> 0 锛堟€绘満锛?/strong>锛?9:00-18:00锛?/p>

上一篇:keyword5
下一篇:没有了

推荐阅读

銆愬畨鍏ㄥ叕鍛娿€慍VE

銆愬畨鍏ㄥ叕鍛娿€慍VE-2020-1350 Windows DNS鏈嶅姟鍣ㄨ爼铏弗閲嶆紡娲?/h3>:03鏉ユ簮锛?em>钃濋槦浜?/em>浠嬬粛DNS锛岄€氬父琚О涓?/span>鈥?/span>浜掕仈缃戠數璇濈翱鈥?/span>锛屾槸涓€绉...

2021-04-14
加盟招商商城系统开发-中国花木网

栾树两年盛开?栾树花有蜜吗?(附开栾树是盛开的树种,盛开的情况下很美观大方,那麼它的花瓣能够采花蜜吗?实际上是能够的,栾树小编粉多,花蜜也多,一般成年人的树木来到夏末...

2021-04-14
keyword5

> 新闻报道动态性 > 企业新闻报道 > keyword5keyword5创作者: / / 访问频次:Keywords又叫重要词、重要字,其便是一个网站后台管理者给网站某一网页页面设置的便于客户根据检索模块能找...

2021-04-14
P图相片抠图app-如何建立和增加关键字词库?

您确当前部位:上海市SEO > seo优化 > 怎样创建和提升重要词词典?怎样创建和提升重要词词典?: 编写:猎搜云站点便于搭建,可是必须开展技术性实际操作。具体上,提高站点的权重...

2021-04-14
企业网站建设中图片-凡科抠图 漂亮的青红色大雁

Photoshop 好看的青鲜红色大雁起降图艺尚视觉效果 公布 创作者:AH-WEIZ 我想评价本实例教程的颜色配搭的十分經典。天上情况一部分为淡冷的青色彩。路面一部分为橙红的暖色彩。...

2021-04-13
电商企业网站建造导航-采访部,企业网站建设,网

【新闻资讯管理中心】 查询 1各大网站营销推广是公司将来发展趋势的方位,不可不小心重考虑到!如今的公司一般全是选用“淘宝网+分销商”的构思进行营销推广的,两根线进行业...

2021-04-13
X

400-8700-61718720358503
企业邮箱2639601583@qq.com
官方微信