How does the DoS work?

When the Additional RRs (aka Additional Information) section of the DNS Datagram contains two null bytes an error occurs at the instruction "mov dl,byte ptr [eax]". This causes the service and it's host process (svchost.exe) to die. One thing to remember is that the ICS service is tied to the Firewall service. If ICS dies so does your firewall.

Vulnerable Function Name:

Via WinDbg with Symbols: DnsProcessQueryMessage
Via WinDbg without Symbols: NatCreateRedirect

What are the attack vectors?

Current research leads me to believe that this only affects Windows XP with ICS... I haven't been able to recreate the problem under Server 2003 with ICS enabled. It also only affects the "non-Shared" connection... Other Users --- Shared PC -- Internet.. THe attack must come from the "Other Users" side of the network.

How does ICS work?

When you share an internet connection the computer with the shared connection creates pseudo DHCP and DNS servers (Proxy DNS). I call them pseudo for a number of reasons. First, they aren't managed... Unlike your standard DNS and DHCP servers you can't specify options, settings and configurations. Second, they're tied only to the interface that is not being shared, you can't make them listen on the other ports. When the DHCP lease is offered to the client computers, they are given an address on the 192.168.0.0/24 network with the gateway as the shared computer (192.168.0.1)... The DNS server is also set to this IP.

Am I vulnerable Checklist:

1) Are you running Windows XP
2) Are you sharing your internet connection?

If the answer is yes to both of those, then you are vulnerable.

Mitigation:

1) Disable Internet Connection Sharing.
2) Block UDP port 53 (DNS) on the computer that is sharing the internet, manually set the DNS Server to your ISPs DNS address.

Is exploit code available?

Currently there's a remote DoS PoC available.