| 关联规则 | 关联知识 | 关联工具 | 关联文档 | 关联抓包 |
| 参考1(官网) | |
| 参考2 | |
| 参考3 |
[SAFE-ID: JIWO-2025-1439] 作者: ecawen 发表于: [2018-04-08]
本文共 [843] 位读者顶过
微软释出了最新版的 Microsoft Malware Protection Engine (1.1.14700.5),修复了 Windows Defender 的一个远程代码执行漏洞。漏洞编号CVE-2018-0986,是 Google 的安全研究员 Halvar Flake 首先发现和报告的。该漏洞与解压 .rar 文档有关,Flake 对漏洞的追溯跟踪到了旧版本的开源解压工具 unrar,微软看起来是创建了 unrar 的一个分支,将其整合到自己的杀毒引擎中。在此过程中,微软修改了所有的符号整数变量,变成了未符号的变量,引发了数学比较相关的连锁问题,导致了一个能被恶意 .rar 文档利用的内存损坏错误,能使杀毒软件崩溃或允许恶意代码使用杀毒软件的 LocalSystem 权限完全控制计算机。
Windows Defender inspects a variety of different archive formats, among others RAR.
Inspection of mpengine.dll revealed that the code responsible for processing RAR archives appears to be a forked and modified version of the original unrar code; given that it still processes the VMSF_UPCASE filter (which was removed in unrar 5.0), it seems that the code is derived from a version of unrar older or equal than 4.2.4.
Interestingly, the issue discovered in CVE-2012-6706 (Sophos VMSF_DELTA, and in 2017 unrar) and other signedness issues in the RarVM::ExecuteStandardFilter function were fixed long ago (apparently without a report to upstream, most likely by simply turning the relevant variables from "signed" to "unsigned").
It appears that this blanket conversion from signed to unsigned ended up introducing a new vulnerability, though:
From unrar 4.2.4 rarvm.cpp:
case VMSF_RGB:
{
int DataSize=R[4],Width=R[0]-3,PosR=R[1];
byte *SrcData=Mem,*DestData=SrcData+DataSize;
const int Channels=3;
SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || PosR<0)
break;
for (int CurChannel=0;CurChannel<Channels;CurChannel++)
The code clearly ensures that PosR is positive from here on.
This check is no longer present in the binary version of the same code in mpengine, most likely since most signed comparisons in this function have been turned unsigned.
This causes a vulnerability later in the same function (RarVM::ExecuteStandardFilter)
Decompile of the mpengine code snippet:
if ( PosR + 2 < DataSize ) {
v50 = (_BYTE *)(v39 + PosR);
do {
v51 = v50[1];
*v50 += v51;
v50 += 3;
*(v50 - 1) += v51;
} while ( (unsigned int)&v50[2 - v39] < DataSize );
Original unrar code:
for (int I=PosR,Border=DataSize-2;I<Border;I+=3)
{
byte G=DestData[I+1];
DestData[I]+=G;
DestData[I+2]+=G;
}
An attacker that can set PosR to be -2, and DataSize to 1, will bypass the (PosR + 2 < DataSize) check. v50 above will then point to one byte *before* the allocated buffer (v50 respective DestData points into a buffer at index DataSize -- so adding -2 to index 1 will index to -1. The byte from the start of this array will be added into the byte preceding the array.
A minimal sample RAR file that exhibits these traits & causes mpengine to corrupt memory and crash is attached. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
Fixed as of 3rd of April, 2018: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0986
|
Labels: -Restrict-View-Commit Status: Fixed |
Comment 1 by thomasdu...@google.com, Mar 2