Microsoft MsMpEng - Multiple Crashes While Scanning Malformed Files

EDB-ID:

42081

CVE:

2017-8538 2017-8537 2017-8536 2017-8535

EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2017-05-29

Vulnerable App: 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1261

A detailed introduction to MsMpEng can be found in  issue #1252 , so I will skip the background story here.

Through fuzzing, we have discovered a number of ways to crash the service (and specifically code in the mpengine.dll module), by feeding it with malformed input testcases to scan. A summary of our findings is shown in the table below:

+==============+===================================+==========================+=============+====================================================+=============================================+
|     Name     |               Type                |       Requirements       | Access Type |                  Observed symbol                   |                  Comments                   |
+==============+===================================+==========================+=============+====================================================+=============================================+
| corruption_1 | Heap buffer overflow              | PageHeap for MpMsEng.exe | -           | free() called by NET_thread_ctx_t__FreeState_void_ | One-byte overflow.                          |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| corruption_2 | Heap corruption                   | PageHeap for MpMsEng.exe | -           | free() called by CRsaPublicKey__Decrypt_uchar      | May crash in other ways, e.g. invalid read. |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| corruption_3 | Unspecified memory corruption (?) | -                        | -           | netvm_parse_routine_netinvoke_handle_t             | Different crashes with/out PageHeap.        |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| null_1       | NULL Pointer Dereference          | -                        | READ        | nUFSP_pdf__handleXFA_PDF_Value                     |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| null_2       | NULL Pointer Dereference          | -                        | READ        | nUFSP_pdf__expandObjectStreams_void                |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| null_3       | NULL Pointer Dereference          | -                        | READ        | NET_context_unsigned                               |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| null_4       | NULL Pointer Dereference          | -                        | READ        | nUFSP_pdf__expandObjectStreams_void_               | Similar to null_2, may be the same bug.     |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| div_by_zero  | Division by zero                  | -                        | -           | x86_code_cost__get_cost_int                        |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| recursion    | Deep/infinite recursion           | -                        | -           | __EH_prolog3_catch_GS                              |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+

The "corruption_1-3" issues are the most important ones, as they represent memory corruption problems and could potentially lead to execution of arbitrary code. On the other hand, "null_1-4", "div_by_zero" and "recursion" are low severity bugs that can only be used to bring the service process down. We have verified that all listed crashes occur on Windows 7 as soon as an offending sample is saved to disk and discovered by MsMpEng. For "corruption_1-2", the PageHeap mechanism must be enabled for the MsMpEng.exe program in order to reliably observe the unhandled exception.

Attached is a ZIP archive (password: "mpengbugs") with up to 3 testcases for each of the 9 unique crashes.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42081.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services