oPatch community released micro patches for Microsoft JET Database Zero-Day

September 26, 2018  By Pierluigi Paganini


0patch community released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative

Experts from 0patch, a community of experts that aims at addressing software flaws, released an unofficial patch for the Microsoft JET Database Engine zero-day vulnerability that Trend Micro’s Zero Day Initiative (ZDI) disclosed last week.

The Microsoft JET Database Engine flaw is an out-of-bounds (OOB) write in the JET Database Engine that could be exploited by a remote attacker to execute arbitrary code on the vulnerable systems.

The zero-day vulnerability has received CVSS score of 6.8 and resides in the management of indexes in JET. An attacker can use specially crafted data in a database file to trigger a write past the end of an allocated buffer.

According to the ZDI’s disclosure policy, details on the vulnerability could be released 120 days after the vendor was notified on the issue, even if the flaw was still unpatched.

ZDI also published the proof-of-concept (PoC) exploit code for the vulnerability.

The 0patch community is known to develop tiny patches, usually less than 30 bytes in size, it released a fix within 24 hours after the public disclosure of the issue.

0patch experts were able to devise a security patch for the zero-day in less than 24 hours.

Experts from 0patch highlighted that the PoC code published by ZDI only works on 32-bit systems, instead, it would cause an error message on 64-bit systems, unless launched with wscript.exe.

The conditions that trigger the problem represent the starting point, the closest observable point of failure, for the analysis of the experts.

“As usually, we started our analysis from the closest observable point of failure and worked backward to the vulnerable code. Ideally, the “closest observable point of failure” is a process crash, and in this case, ZDI’s PoC indeed causes a crash in wscript.exe due to an attempt to write past the allocated memory block. So their PoC was perfect for us.” reads the analysis of the 0patch experts.

“(Not surprisingly, it’s easier for us to work with a crash case than a full blown calc-popping exploit.) Here’s how the crash looks like in WinDbg, with Page Heap enabled and invalid memory access in function TblPage::CreateIndexes:”

0patch released the micro-patch for Windows 7 just 7 hours after ZDI shared the PoC for the Windows Microsoft JET Database Engine zero-day.

Then the experts attempted to port the patch to other supported Windows versions, they noticed that almost all of them have the exact same version of msrd3x40.dll,  a circumstance that suggested them that the same micropatch would apply to all these systems.

The experts pointed out that there is only one Windows version that leverages a different msrd3x40.dll, it was Windows 10.

“The only Windows version with a different msrd3x40.dll was Windows 10: peculiarly, both DLLs had the same version and exactly the same size, but plenty of small differences between the two (including the link timestamp). The code was exactly the same and in the same place though (probably just a re-build), so we could actually use the exact same source code for the micropatch, just a different file hash.” continues the analysis.

Microsoft JET Database Engine

The two micro patches for the Windows 0day were issued in less than 24 hours after the public disclosure of the technical details of the flaw.

“These two micropatches for a published 0day were then issued less than 24 hours after the 0day was dropped, and distributed to our users’ computers within 60 minutes, where they were automatically applied to any running process with vulnerable msrd3x40.dll loaded. Which nicely demonstrates the speed, simplicity and user-friendliness of micropatching when it comes to fixing vulnerabilities.” continues the analysis.

Users that want to get the micro patches just need to install and register the 0patch Agent, anyway it is strongly recommended to install Microsoft’s official updates when Microsoft will issue them.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – micro patches, Microsoft JET Database)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Bitcoin Core Team fixes a critical DDoS flaw in wallet software

 Bitcoin Core Software fixed a critical DDoS attack vulnerability in the Bitcoin Core wallet software tracked as CVE-2018-17144. The...