New issue
Advanced search Search tips
Issue 1252
Starred by 16 users
Status: Fixed
Owner:
taviso@google.com
Closed: May 2017
Cc:
natashenka@google.com
project-...@google.com

Restricted
  • Only users with EditIssue permission may comment.


Show other hotlists

Hotlists containing this issue:
Hotlist-1
Hotlist-1


Sign in to add a comment
 MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more.
Project Member Reported by taviso@google.com, May 6 2017 Back to list 
MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.

Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

The core component of MsMpEng responsible for scanning and analysis is called mpengine. Mpengine is a vast and complex attack surface, comprising of handlers for dozens of esoteric archive formats, executable packers and cryptors, full system emulators and interpreters for various architectures and languages, and so on. All of this code is accessible to remote attackers. 

NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds.

We have written a tool to access NScript via a command shell for testing, allowing us to explore and evaluate it:

$ mpscript 
main(): Please wait, initializing engine...
main(): Ready, type javascript (history available, use arrow keys)
> 6 * 9
JavaScriptLog(): 54
> document.location.hostname
JavaScriptLog(): www.myserver.com
> "abcd" + String.fromCharCode(0x3f)
JavaScriptLog(): abcd?
> /[y]e+(s|S)/.exec("yes")[0] // C++ regex engine running unsandboxed as SYSTEM on attacker controlled REGEX?
JavaScriptLog(): yes
> for (i in document) log(i)
JavaScriptLog(): appendChild
JavaScriptLog(): attributes
JavaScriptLog(): childNodes
JavaScriptLog(): createElement
JavaScriptLog(): createTextNode
JavaScriptLog(): getElementById
JavaScriptLog(): getElementsByTagName
JavaScriptLog(): write
JavaScriptLog(): writeln
JavaScriptLog(): referrer
JavaScriptLog(): cookie
JavaScriptLog(): location
JavaScriptLog(): undefined
> window.ScriptEngineBuildVersion
JavaScriptLog(): [object Function]
> window.ScriptEngineBuildVersion()
JavaScriptLog(): 8831

We have discovered that the function JsDelegateObject_Error::toString() reads the "message" property from the this object, but fails to validate the type of the property before passing it to JsRuntimeState::triggerShortStrEvent().

In pseudocode, the code does something like this:

    prophash = JsObject::genPropHash("message", 0);
    RuntimeState::getThisPtr(&thisptr)

    if (JsObject::get(thisptr, prophash, &message)) {
        JsRuntimeState::triggerShortStrEvent("error_tostring", message);
    }


The method assumes that message is a string, but it can be of any type, so this type confusion allows an attacker to pass arbitrary other objects. JsRuntimeState::triggerShortStrEvent() calls JsString::numBytes() on the passed object, which will invoke a method from the object's vtable.

int __fastcall JsString::numBytes(JsString this)
{
      if ( this == 0x12 )
        return 0;
      if ( (this & 0x12) == 0x12 )
        return this >> 5;
      return this->vtbl->GetLength(this);
}

Nscript supports "short" strings, with length and values contained in the handle and "long" strings with out-of-line memory. If the string is "long" (or appears to be due to type confusion), a vtable call is made to retrieve the length.

Integer handles are represented as four-byte values with the final bit set to one by the engine. The integer itself is left shifted by one bit, and the final bit set to create the handle. Handles to most objects, including strings are represented as the value of the pointer to the object with no modification. Therefore, this type confusion allows an integer to be specified and treated as pointer (though the bits need to shifted to get the correct value in the handle, and only odd pointer values are possible).

To reproduce this vulnerability, download the attached testcase. The debugging session below was captured after visiting a website that did this:

    <a href="testcase.txt" download id=link>
    <script>
    document.getElementById("link").click();
    </script>

3: kd> !process
PROCESS 8805fd28  SessionId: 0  Cid: 0afc    Peb: 7ffdf000  ParentCid: 01c8
    DirBase: bded14e0  ObjectTable: bfb99640  HandleCount: 433.
    Image: MsMpEng.exe
3: kd> !token -n
_EPROCESS 8805fd28, _TOKEN 00000000
TS Session ID: 0
User: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)

3: kd> .lastevent
Last event: Access violation - code c0000005 (first chance)
  debugger time: Fri May  5 18:22:14.740 2017 (UTC - 7:00)
3: kd> r
eax=00000010 ebx=1156c968 ecx=41414141 edx=115730f8 esi=68bd9100 edi=41414141
eip=68b1f5f2 esp=0208e12c ebp=0208e134 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
mpengine!FreeSigFiles+0xec822:
001b:68b1f5f2 8b07            mov     eax,dword ptr [edi] ds:0023:41414141=????????
3: kd> lmv mmpengine
start    end        module name
68790000 6917a000   mpengine   (export symbols)       mpengine.dll
    Loaded symbol image file: mpengine.dll
    Image path: c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1C2B7358-645B-41D0-9E79-5FA3E5C4EB51}\mpengine.dll
    Image name: mpengine.dll
    Timestamp:        Thu Apr 06 16:05:37 2017 (58E6C9C1)
    CheckSum:         00A1330D
    ImageSize:        009EA000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
3: kd> u
mpengine!FreeSigFiles+0xec822:
001b:68b1f5f2 8b07            mov     eax,dword ptr [edi]
001b:68b1f5f4 56              push    esi
001b:68b1f5f5 8b7008          mov     esi,dword ptr [eax+8]
001b:68b1f5f8 8bce            mov     ecx,esi
001b:68b1f5fa ff15c0450e69    call    dword ptr [mpengine!MpContainerWrite+0x35f3a0 (690e45c0)]
001b:68b1f600 8bcf            mov     ecx,edi
001b:68b1f602 ffd6            call    esi           <--- Jump to attacker controlled address
001b:68b1f604 5e              pop     esi


Before executing JavaScript, mpengine uses a number of heuristics to decide if evaluation is necessary. One such heuristic estimates file entropy before deciding whether to evaluate any javascript, but we've found that appending some complex comments is enough to trigger this.

The attached proof of concept demonstrates this, but please be aware that downloading it will immediately crash MsMpEng in it's default configuration and possibly destabilize your system. Extra care should be taken sharing this report with other Windows users via Exchange, or web services based on IIS, and so on.

As mpengine will unpack arbitrarily deeply nested archives and supports many obscure and esoteric archive formats (such as Amiga ZOO and MagicISO UIF), there is no practical way to identify an exploit at the network level, and administrators should patch as soon as is practically possible.

We have verified that on Windows 10, adding a blanket exception for C:\ is enough to prevent automatic scanning of filesystem activity (you can still initiate manual scans, but it seems prudent to do so on trusted files only, making the action pointless).

This vulnerability was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Project Member Comment 1 by taviso@google.com, May 6 2017
Cc: natashenka@google.com
MSRC Case 38582
Project Member Comment 2 by taviso@google.com, May 6 2017 
Update from Microsoft.

------------
Hello Tavis,
 
We have successfully reproduced the issue that you reported to us.  We will be finishing our investigation and determining if we will address it in a security release.
 
Please let me know if you have any additional information that could impact the investigation, or if you have any questions.
------------
Project Member Comment 3 by taviso@google.com, May 6 2017 
Quick second update:

---------
Hi Tavis,

Just wanted to let you know that we are working on fixing this issue. I will continue to provide status updates as they become available.

Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.

----------
Comment 4 Deleted
Comment 5 Deleted
Comment 6 Deleted
Comment 7 Deleted
Project Member Comment 8 by taviso@google.com, May 7 2017
Summary: MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials, and more. (was: MsMpEng: Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, ForeFront, Microsoft Security Essentials, and more.)
Comment 9 Deleted
Project Member Comment 10 by taviso@google.com, May 7 2017 
Corrected typo in testcase.
nscript-type-confusion.zip
88.3 KB Download
Project Member Comment 11 by taviso@google.com, May 9 2017
Labels: -Restrict-View-Commit
Status: Fixed
Microsoft have released an advisory for this issue, CVE-2017-0290.

https://technet.microsoft.com/en-us/library/security/4022344
Project Member Comment 12 by taviso@google.com, May 9 2017
Labels: Restrict-View-EditIssue
Project Member Comment 13 by taviso@google.com, May 9 2017
Labels: -Restrict-View-EditIssue
Oops, fixing labels.
Project Member Comment 14 by taviso@google.com, May 9 2017 
Two clarifications from Microsoft,

1. Defender is not supported on Windows Server platforms except Server 2016.
2. On the latest platforms, RCE risk should be lowered due to CFG (on platforms where CFG is in effect).
Comment 15 by loneg...@gmail.com, May 9 2017 
that nscript-type-confusion.zip is corrupted.  I am not able to unpack it on OS X. Regarding Comment #11
Comment 16 by tal.a.be...@gmail.com, May 9 2017 
 nscript-type-confusion.zip is corrupted. (according to windows and 7zip)
Comment 17 by bhdr...@gmail.com, May 9 2017 
Its not Zip, treat it as UTF-8 Unicode text.
Comment 18 Deleted
Comment 19 Deleted
Comment 20 by xochilp...@gmail.com, May 10 2017 
I tried to reproduce, but MsMpEng did not crash, running on windows 10 x64 on VirtualBox

Testcase: 

- Create a sample.html with the code:
   <a href="testcase.js" download id=link>
    <script>
    document.getElementById("link").click();
    </script>
- Downloaded the "nscript-type-confusion.zip", changed extension to ".js" and renamed to testcase.js

- From Windows 10 i have used Edge Explorer.

- Watch for MsMpEng.exe in TaskManager but it did not crash.

I did not update the patch from MS
Comment 21 Deleted
Project Member Comment 22 by taviso@google.com, May 10 2017
Labels: Restrict-AddIssueComment-EditIssue
Project Member Comment 23 by scvitti@google.com, May 11 2017
Labels: -Reported-2017-05-05 Reported-2017-May-05
Sign in to add a comment