Exploiting SIGRed (CVE-2020–1350) on Windows Server 2012/2016/2019

Prepare name servers

Trigger the bug

WinDNS Heap Manager

WinDNS heap never return memory to native Windows Heap

All WinDNS heap header value is known

Free chunks are kept as singly linked list

  • Fake free list to control next allocation location. This might result to overlapped chunks, arbitrary write (I think arbitrary write is difficult for this case because a cookie 8 bytes is checked before Mem_Alloc returning an address)
  • Controlling chunk allocation order by freeing them in reverse order

Monitoring objects in heap

Heap buffer overflow without any crash

Information Leak

Controlling Program Counter (rip)

Code Execution

Demonstration Video

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store