Pierluigi Paganini May 29, 2017

Microsoft silently patched a second critical vulnerability in its Malware Protection Engine that was discovered on May 12.

Microsoft has patched the critical vulnerability in its Malware Protection Engine that was discovered on May 12 by the researchers at the Google’s Project Zero team.

The vulnerability could be exploited by an attacker that has crafted an executable that when processed by the Malware Protection Engine’s emulator could trigger the RCE flaw.

On May 9, Google’s Project Zero discovered another flaw, tracked as CVE-2017-0290, that was fixed with an emergency patch released just three days after its disclosure.

According to the Project Zero researcher Tavis Ormandy, unlike the CVE-2017-0290 vulnerability, this bug was a silent fix. Ormandy privately disclosed the vulnerability to Microsoft.

There is an undocumented opcode in the MsMpEng x86 emulator that can access internal emulator commands ¯_(ツ)_/¯ https://t.co/N0Z64Fofna

— Tavis Ormandy (@taviso) May 25, 2017

“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.” reads the security advisory.

The vulnerability recently patched is tied to the way the emulator processes files, meanwhile, the previous one was affecting the MsMpEng’s JavaScript interpreter.

The attacker can exploit the vulnerability to execute a number of control commands.

• “Command 0x0C allows allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s). This library is not safe to process untrusted Regex, a testcase that crashes MsMpEng attached. Note that only packed executables can use RegEx, the attached sample was packed with UPX. ¯\_(ツ)_/¯
• Command 0x12 allows you to load additional “microcode” that can replace opcodes. At the very least, there is an integer overflow calculating number of opcodes provided (testcase attached). You can also redirect execution to any address on a “trusted” page, but I’m not sure I understand the full implications of that.
• Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata (example attached). This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result.” reads the advisory.

The vulnerability is difficult to exploit, even if MsMpEng isn’t sandboxed, many applications are sandboxed, this implies that the attacker needs to evade the sandbox to trigger the issue.

According to Ormandy, the emulator component emulates the client’s CPU, but Microsoft has given it an extra instruction that allows API calls. The hackers highlighted he was surprised finding a special set of instructions for the emulator.

Microsoft did not publish any security advisory for this vulnerability.

Pierluigi Paganini

(Security Affairs – Malware Protection Engine, hacking)

[adrotate banner=”9″]

[adrotate banner=”13″]