Friday, June 26, 2020

Micropatch is Available for Windows LNK Remote Code Execution Vulnerability (CVE-2020-1299)




by Mitja Kolsek, the 0patch Team


Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1299, another "Stuxnet-like" critical LNK remote code execution issue that can get code executed on user's computer just by viewing a folder with Windows Explorer.

This vulnerability was patched by Microsoft with June 2020 Updates, but Windows 7 and Server 2008 users without Extended Security Updates remained vulnerable.

Security researcher Lê Hữu Quang Linh (@linhlhq) found this vulnerability, published a detailed analysis and shared a POC with us so we could reproduce the issue and create a micropatch.

We narrowed the root cause down to the order in which method CKnownFoldersFolder::_ClearCachedObjects (1) deletes a DSA object using a call to DSA_DestroyCallback and (2) NULLs a pointer to said object. In vulnerable code, it does it in this order; in patched code, vice versa, as seen on the image below.


Unpatched (left) and patched (right) function CKnownFoldersFolder::_ClearCachedObjects


Microsoft's patch also moved a CoTaskMemFree call to another code block but we determined that to have no relevant consequence. Therefore, our micropatch only needed one single instruction to NULL the pointer to the DSA object before the call to DSA_DestroyCallback.



MODULE_PATH "..\Affected_Modules\shell32.dll_6.1.7601.24468_64bit\shell32.dll"
PATCH_ID 443
PATCH_FORMAT_VER 2
VULN_ID 6281
PLATFORM win64

patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2

PATCHLET_OFFSET 0x76C8C
N_ORIGINALBYTES 5
JUMPOVERBYTES 0

code_start

    and qword[rbx+0xb8], 0 ; put 0 at rbx+0xb8, which contains a circular pointer to the same
                          
; structure and is going to be deleted twice.
                           ; When the function tries to recursively delete this structure, it follows
                           ; this pointer and causes a double free
code_end
patchlet_end




Here's a video of our micropatch in action:






We'd like to thank security researcher Lê Hữu Quang Linh (@linhlhq) for a detailed analysis and for sharing their POC with us, which allowed us to quickly reproduce the issue and produce this micropatch for Windows users without official security updates..

This micropatch is immediately available to all 0patch users with a PRO license, and is targeted at Windows 7 and Windows Server 2008 R2 users without Extended Security Updates. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account in 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center.

Tuesday, June 16, 2020

Micropatch is Available for MS Windows OLE Remote Code Execution Vulnerability (CVE-2020-1281)


by Mitja Kolsek, the 0patch Team


Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1281, an integer overflow vulnerability in Windows OLE marshaling that could allow a remote attacker to execute arbitrary code on user's computer.

This vulnerability was patched by Microsoft with June 2020 Updates, but Windows 7 and Server 2008 R2 users without Extended Security Updates remained vulnerable.

Security researcher Yuki Chen found the vulnerability, wrote an in-depth analysis, analyzed Microsoft's patch and provided a POC for triggering the vulnerability.

The vulnerability is in the way new object size is being calculated when an object is enlarged (e.g., in string concatenation). This new size is then used for allocating memory for the resulting "enlarged" object.

The vulnerable code doesn't account for really large numbers where adding would exceed the capacity of 32-bit numbers. In such cases, an integer overflow occurs, a too-small memory block is allocated, and subsequent copying to this new block overwrites memory outside of it.

Microsoft's patch modified several functions related to calculating the object size. We decided to only patch the one that is proven to be exploitable at this point (BSTR_UserSize). Upon detecting an overflow, our patch reports "Exploit Blocked" and terminates the process:



MODULE_PATH "..\Affected_Modules\oleaut32.dll_6.1.7601.24537_64bit\oleaut32.dll"
PATCH_ID 441
PATCH_FORMAT_VER 2
VULN_ID 6279
PLATFORM win64

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x5fcf
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0
    PIT oleaut32.dll!0x10edc,Kernel32.dll!TerminateProcess,Kernel32.dll!GetCurrentProcess
    
    ; This patchlet is located in BSTR_UserSize and replaces the main branch of code right up to the retn
    ; On entry we have:
    ; - rax points to the content of the BSTR object (the first character of the string)
    ; - rdx is the size to be added to the string
    ; - ecx is rdx+3 (just computed using "lea ecx, [rdx+3])
    ; The patch performs the same operations the original code does, but for each of them,
    ; it checks for a numeric overflow and if so, pops ExploitBlocked and triggers an exception like the official patch
        
    code_start
    
        and ecx, 0xFFFFFFFC ; we pushed this instruction out, so replacing it here
        cmp ecx, edx        ; check if adding 3 and aligning resulted in an overflow
        jb OVERFLOW         ; overflow detected
        
        test eax, eax       ; same as in original code
        jz BSTR_IS_NULL
        mov eax, dword [rax-4] ; same as in original code
        jmp END1
    BSTR_IS_NULL:
        xor eax, eax ; same as in original code
    END1:
    
        add eax, 1 ; original code has "inc eax", but that doesn't set the carry flag
        jc OVERFLOW ; overflow would set the carry flag
        and eax, 0xFFFFFFFE
        
        add eax, ecx
        jc OVERFLOW ; overflow would set the carry flag
        
        add eax, 0x0C
        jc OVERFLOW ; overflow would set the carry flag
        
        retn ; return from the function
        
    OVERFLOW:
        call PIT_ExploitBlocked
        call PIT_GetCurrentProcess
        mov rcx, rax
        mov rdx, 0x1337
        call PIT_TerminateProcess
    
    code_end
    
patchlet_end



Here's a video of our micropatch in action:






We'd like to thank Yuki Chen for an excellent analysis and POC for this issue, which allowed us to create a micropatch for Windows users without security updates.

This micropatch is immediately available to all 0patch users with a PRO license, and is targeted at Windows 7 and Windows Server 2008 R2 users without Extended Security Updates. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account at 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center.