Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-1350 PoC — Microsoft Windows DNS Server 输入验证错误漏洞

Source
https://github.com/corelight/SIGRed
Associated Vulnerability
Title:Microsoft Windows DNS Server 输入验证错误漏洞 (CVE-2020-1350)
Description:A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.
Description
Detection of attempts to exploit Microsoft Windows DNS server via CVE-2020-1350 (AKA SIGRed)
Readme
# CVE-2020-1350 (AKA SIGRed) v0.30

## Summary:  
A Zeek package for detection of attempts to exploit Microsoft Windows DNS server via CVE-2020-1350 (AKA SIGRed - CVE Score of 10.0)

## References: 
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/     
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350  

## Notices raised :   

| Notice | Fidelity  |
| -------- | ---------------------- |
|CVE_2020_1350::CVE_2020_1350_Detected_High_Confidence   CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (High Confidence, large SIG/KEY response) Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|High|
|Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS RRSIG/TKEY response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|Medium/High|
|Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS response).  Refer to links:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|Medium/High|


By default, all notices are enabled, however if you'd like to enable only the High Fidelity notice (due to noise/performance or other reasons) you can change the option in `scripts/CVE-2020-1350.zeek` to True i.e `option only_enable_high_fidelity_notice: bool = T;`
File Snapshot

 [4.0K]  /data/pocs/b8e34b4f396a1b6e02cfc347a7e20b6cb1165fc1
├── [ 174]  bro-pkg.meta
├── [1.5K]  LICENSE
├── [1.8K]  README.md
├── [4.0K]  scripts
│   ├── [4.0K]  CVE-2020-1350.zeek
│   └── [  22]  __load__.zeek
└── [ 174]  zkg.meta

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →