cbcvebase.
CVE-2011-0657
published 2011-04-13

CVE-2011-0657: DNSAPI.dll in the DNS client in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2…

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
63.33%
99.1th percentile
DNSAPI.dll in the DNS client in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process DNS queries, which allows remote attackers to execute arbitrary code via (1) a crafted LLMNR broadcast query or (2) a crafted application, aka "DNS Query Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

filenameDNSAPI.dll
commandcrafted LLMNR broadcast query containing a leading '.' character
  • Monitor for malformed LLMNR broadcast queries containing a leading '.' character on the network, which may indicate exploitation attempts against DNSAPI.dll.
  • Look for stack exhaustion or stack memory corruption symptoms in processes loading DNSAPI.dll, particularly on Windows Vista and later systems without KB2509553 applied.
  • Detection should cover both network-based LLMNR query inspection and local crafted application vectors, as the vulnerability can be triggered via either attack surface.
  • ·The Metasploit DoS module may not reliably crash the target in all cases — a '.' character may be encountered before the top of the stack is reached, preventing a crash.
  • ·Code execution via this vulnerability had not been proven possible at the time of the module's writing; confirmed impact at that time was limited to DoS (stack exhaustion/corruption).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.