New issue
Advanced search Search tips
Issue 1261
Starred by 3 users
Status: Fixed
Owner:
mjurczyk@google.com
Closed: May 2017
Cc:
project-...@google.com



Sign in to add a comment
 MsMpEng: multiple crashes while scanning malformed files
Project Member Reported by mjurczyk@google.com, May 16 2017 Back to list 
A detailed introduction to MsMpEng can be found in  issue #1252 , so I will skip the background story here.

Through fuzzing, we have discovered a number of ways to crash the service (and specifically code in the mpengine.dll module), by feeding it with malformed input testcases to scan. A summary of our findings is shown in the table below:

+==============+===================================+==========================+=============+====================================================+=============================================+
|     Name     |               Type                |       Requirements       | Access Type |                  Observed symbol                   |                  Comments                   |
+==============+===================================+==========================+=============+====================================================+=============================================+
| corruption_1 | Heap buffer overflow              | PageHeap for MpMsEng.exe | -           | free() called by NET_thread_ctx_t__FreeState_void_ | One-byte overflow.                          |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| corruption_2 | Heap corruption                   | PageHeap for MpMsEng.exe | -           | free() called by CRsaPublicKey__Decrypt_uchar      | May crash in other ways, e.g. invalid read. |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| corruption_3 | Unspecified memory corruption (?) | -                        | -           | netvm_parse_routine_netinvoke_handle_t             | Different crashes with/out PageHeap.        |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| null_1       | NULL Pointer Dereference          | -                        | READ        | nUFSP_pdf__handleXFA_PDF_Value                     |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| null_2       | NULL Pointer Dereference          | -                        | READ        | nUFSP_pdf__expandObjectStreams_void                |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| null_3       | NULL Pointer Dereference          | -                        | READ        | NET_context_unsigned                               |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| null_4       | NULL Pointer Dereference          | -                        | READ        | nUFSP_pdf__expandObjectStreams_void_               | Similar to null_2, may be the same bug.     |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| div_by_zero  | Division by zero                  | -                        | -           | x86_code_cost__get_cost_int                        |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
| recursion    | Deep/infinite recursion           | -                        | -           | __EH_prolog3_catch_GS                              |                                             |
+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+

The "corruption_1-3" issues are the most important ones, as they represent memory corruption problems and could potentially lead to execution of arbitrary code. On the other hand, "null_1-4", "div_by_zero" and "recursion" are low severity bugs that can only be used to bring the service process down. We have verified that all listed crashes occur on Windows 7 as soon as an offending sample is saved to disk and discovered by MsMpEng. For "corruption_1-2", the PageHeap mechanism must be enabled for the MsMpEng.exe program in order to reliably observe the unhandled exception.

Attached is a ZIP archive (password: "mpengbugs") with up to 3 testcases for each of the 9 unique crashes.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
poc.zip
2.9 MB Download
Project Member Comment 1 by mjurczyk@google.com, May 16 2017
Labels: MSRC-38763
Project Member Comment 2 by taviso@google.com, May 25 2017 
From what I can tell, Microsoft silently patched this yesterday in mpengine 1.1.13804.0.

They also fixed  issue 1258 ,  issue 1259 ,  issue 1260  and  issue 1261 .
Sign in to add a comment