cbcvebase.
CVE-2007-3898
published 2007-11-14

CVE-2007-3898: The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, which…

PriorityP351medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
55.13%
98.9th percentile
The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, which allows remote attackers to spoof DNS replies, poison the DNS cache, and facilitate further attack vectors.

Detection & IOCsextracted from sources · hover to see the quote

command$0 ns1.belbone.be www.hotmail.com .cache-poisoning.net 1025
domaincache-poisoning.net
ip127.0.0.1
  • Windows DNS Server TRXID predictability: the highest two bits of the transaction ID are always 0, and the ID follows a structured pattern with fields M (bits 13-11), C (bits 10-3), and L (bits 2-0). Detect anomalous DNS transaction ID sequences where C mod 8 == 7 and subsequent IDs match the 8 predicted values.
  • Detect DNS cache poisoning attempts: monitor for a burst of up to 500 spoofed UDP DNS responses (source port 53) sent to a target DNS server's query port in rapid succession, all with incrementing transaction IDs from a predicted base set of 8 values.
  • The exploit probes the target DNS server by sending recursive NS queries for a controlled zone (e.g., *.cache-poisoning.net) to observe returned transaction IDs and infer the TRXID sequence. Monitor for repeated recursive DNS queries from a single source to unusual/attacker-controlled zones.
  • The exploit pre-caches the NS record for the target domain before spoofing, using a preliminary NS query. Detect DNS servers receiving NS queries for a domain immediately followed by a flood of spoofed A-record responses for the same domain.
  • The exploit tracks 8 parallel TRXID sequences (num_seq = 8), consistent with Windows DNS using 8 RC4 cipher instances for ID generation. Anomalous DNS traffic showing IDs cycling across exactly 8 arithmetic progressions is indicative of exploitation.
  • Windows DNS Server TRXID prediction: next TRXID is one of 8 values computed as (m<<11)|((C+1 mod 256)<<3) for m in 0..7. IDS/IPS rules should flag DNS responses whose IDs match this predictable pattern against a known Windows DNS server.
  • ·The exploit targets Windows DNS Server's use of CryptGenRandom with 8 RC4 instances for transaction ID generation. The TRXID prediction only works when the highest two bits of the observed TRXID are 0; non-zero high bits indicate a non-Windows target or endian mismatch.
  • ·Prediction requires observing a TRXID where C mod 8 == 7; otherwise the attacker must wait for the counter to reach that state before the next ID can be predicted.
  • ·The exploit assumes the target DNS server always uses the first nameserver returned for a domain when forwarding recursive queries, which is a Windows DNS Server-specific behavior leveraged to maximize spoofing success.
  • ·The maximum tolerated difference between two subsequent IDs in the same sequence is 500; IDs diverging beyond this threshold are not attributed to the same sequence, limiting the prediction window.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.